CVE ID | CVE-2024-7269 |
Publication date | 28 August 2024 |
Vendor | ConnX |
Product | ESP HR Management |
Vulnerable versions | All before 6.6 |
Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerability in ConnX ESP HR Management software and participated in coordination of its disclosure.
The vulnerability CVE-2024-7269 in "Update of Personal Details" form in ConnX ESP HR Management allows Stored XSS attack. An attacker might inject a script to be run in user's browser.
After multiple attempts to contact the vendor we did not receive any answer. The finder provided the information that this issue affects ESP HR Management versions before 6.6.
Credits
We thank Mariusz Sepczuk for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.