OrangeHRM[1] 2.7.1[2] – the latest stable release as of this writing –
suffers from a persistent XSS in the vacancy name variable. Steps:
Navigate to following URL:
http://[domain]/symfony/web/index.php/recruitment/viewJobVacancy
Add or Edit a Vacancy
In the Vacancy Name parameter put XSS script
Save
Navigate back to top Vacancy page (click back button)
Witness XSS
Screen shots of above exploit steps may be found on my website (for
those who want additional validation):
http://securitymaverick.com/?p=408
I contacted OrangeHRM[3] but did not receive a reply.
Thanks,
Ken
PS -Currently on twitter:
https://twitter.com/infosecmaverick
[1] http://sourceforge.net/projects/orangehrm/
[2] http://sourceforge.net/projects/orangehrm/files/stable/2.7.1/
[3] http://www.orangehrm.com/