ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Scripting and Session Fixation

EDB-ID:

50030

CVE:

N/A




Platform:

PHP

Date:

2021-06-18


# Exploit Title: ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Scripting and Session Fixation
# Exploit Author: *Piyush Patil *& Rafal Lykowski
# Vendor Homepage: https://icehrm.com/
# Version: 29.0.0.OS
# Tested on: Windows 10 and Kali

#Description
ICE Hrm Version 29.0.0.OS is vulnerable to session fixation and reflected cross site scripting leading to full account takeover.

#Steps to reproduce the attack:
1-Open 2 different browsers (or one with 2 windows - one of them opened in incognito mode)
2-Log in to the system, 
3-Paste this payload into the address bar and load it:
http://localhost:8070/app/?g=admin&n=dashboard&m=21484%27%3bdocument.cookie=%22PHPSESSID=12345;path=/;%22%2f%2f
It simulates victim executing XSS.
4-In the incognito window do not log in but just modify session cookie value to 12345.
5-Navigate to any application url - you will realize that you are authorized. It means that your account was taken over.

#Video POC:
https://drive.google.com/file/d/1egynTGh0XsETgfu7SJtIPv1GZCs1dJ67/view?usp=sharing