← Advisories

IceHrm <=7.1 Multiple Vulnerabilities

Critical

Advisory ID

ZSL-2014-5215

Release Date

08 December 2014

Vendor

IceHrm - http://www.icehrm.com

Affected Version

<= 7.1

CVE

N/A

Tested On

Apache/2.2.15 (Unix), PHP/5.3.3, MySQL 5.1.73

Summary

IceHrm is Human Resource Management web software for small and medium sized organizations. The software is written in PHP. It has community (free), commercial and hosted (cloud) solution.

Description

IceHrm <= 7.1 suffers from multiple vulnerabilities including Local File Inclusion, Cross-Site Scripting, Malicious File Upload, Cross-Site Request Forgery and Code Execution.

Proof of Concept

icehrm_multi.txtTXT

Disclosure Timeline

01.12.2014Vulnerabilities discovered.

02.12.2014Vendor contacted.

02.12.2014Vendor confirms the issues promising patch.

04.12.2014Vendor releases update (new version - v.7.2).

05.12.2014Vendor confirms the patch release.

08.12.2014Coordinated public security advisory released.

Credits

Vulnerability discovered by Stefan Petrushevski

References