Security Research & Advisories

Stored Cross-Site Scripting Vulnerabilities in Sentrifugo HRMS

Vendor
Product Sentrifugo HRMS
Affected Version(s) 3.2 and probably prior and probably prior
Tested Version(s) 3.2
Vendor Notification 06 November 2020
Advisory Publication 06 November 2020 [without technical details]
Vendor Fix N/A
Public Disclosure 06 November 2020
Latest Modification 05 November 2020
CVE Identifier Pending
Product Description Sentrifugo is a FREE and powerful Human Resource Management System that can be easily configured to meet your organizational needs.
Credits Luis Noriega, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Stored Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 6.1 CWE-ID: CWE-79 Status: Open
Vulnerability Description
Sentrifugo 3.2 allows stored Cross-Site Scripting (XSS) vulnerability by inserting a payload within the X-Forwarded-For HTTP header during the login attempt. When an administrator looks at the user logs, the malicious payload is executed.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required Low Integrity Impact Low
User Interaction Required Availability Impact Low

Description

Full details about the vulnerability will be disclosed once the vendor has provided a patch.

Top