# Exploit Title: Ice HRM 26.2.0 - Cross-Site Request Forgery (Add User) # Date: 2020-02-14 # Exploit Author: J3rryBl4nks # Vendor Homepage: https://icehrm.com/ # Software Link: https://sourceforge.net/projects/icehrm/#Version 26.2.0 # Tested on Windows 10/Kali Rolling # The Ice HRM Web Application is vulnerable to CSRF that leads to arbitrary user creation or password change: # POC for user creation:
# POC for Password Change: