icehrm CVE Vulnerabilities & Metrics

Focus on icehrm vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About icehrm Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with icehrm. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total icehrm CVEs: 15
Earliest CVE date: 14 Jun 2018, 21:29 UTC
Latest CVE date: 25 Jan 2024, 12:15 UTC

Latest CVE reference: CVE-2023-6282

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -100.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -100.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical icehrm CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.69

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	10
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS icehrm CVEs

These are the five CVEs with the highest CVSS scores for icehrm, sorted by severity first and recency.

CVE-2021-38823 icehrm Published on 04 Oct 2021, 14:15 UTC (CVSS: 7.5)
The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.
CVE-2021-34244 icehrm Published on 22 Jun 2021, 14:15 UTC (CVSS: 6.8)
A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords.
CVE-2020-9270 icehrm Published on 18 Feb 2020, 19:15 UTC (CVSS: 6.8)
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via service.php.
CVE-2020-6114 icehrm Published on 10 Jul 2020, 18:15 UTC (CVSS: 6.5)
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2021-35046 icehrm Published on 22 Jun 2021, 14:15 UTC (CVSS: 5.8)
A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie.

All CVEs for icehrm

CVE-2023-6282 icehrm vulnerability CVSS: 0 25 Jan 2024, 12:15 UTC

IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload and partially hijacking the victim's browser.

CVE-2022-26588 icehrm vulnerability CVSS: 4.3 08 Apr 2022, 21:15 UTC

A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI.

CVE-2022-25015 icehrm vulnerability CVSS: 3.5 28 Feb 2022, 19:15 UTC

A stored cross-site scripting (XSS) vulnerability in Ice Hrm 30.0.0.OS allows attackers to steal cookies via a crafted payload inserted into the First Name field.

CVE-2022-25014 icehrm vulnerability CVSS: 4.3 28 Feb 2022, 19:15 UTC

Ice Hrm 30.0.0.OS was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the "m" parameter in the Dashboard of the current user. This vulnerability allows attackers to compromise session credentials via user interaction with a crafted link.

CVE-2022-25013 icehrm vulnerability CVSS: 4.3 28 Feb 2022, 19:15 UTC

Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the "key" and "fm" parameters in the component login.php.

CVE-2021-38823 icehrm vulnerability CVSS: 7.5 04 Oct 2021, 14:15 UTC

The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin session that is opened in a different browser.

CVE-2021-38822 icehrm vulnerability CVSS: 3.5 04 Oct 2021, 14:15 UTC

A Stored Cross Site Scripting vulnerability via Malicious File Upload exists in multiple pages of IceHrm 30.0.0.OS that allows for arbitrary execution of JavaScript commands.

CVE-2021-35046 icehrm vulnerability CVSS: 5.8 22 Jun 2021, 14:15 UTC

A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie.

CVE-2021-35045 icehrm vulnerability CVSS: 4.3 22 Jun 2021, 14:15 UTC

Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint.

CVE-2021-34244 icehrm vulnerability CVSS: 6.8 22 Jun 2021, 14:15 UTC

A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords.

CVE-2021-34243 icehrm vulnerability CVSS: 3.5 22 Jun 2021, 14:15 UTC

A stored cross site scripting (XSS) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to execute arbitrary web scripts or HTML via a crafted file uploaded into the Document Management tab. The exploit is triggered when a user visits the upload location of the crafted file.

CVE-2020-6114 icehrm vulnerability CVSS: 6.5 10 Jul 2020, 18:15 UTC

An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVE-2020-9271 icehrm vulnerability CVSS: 4.3 18 Feb 2020, 19:15 UTC

ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via service.php.

CVE-2020-9270 icehrm vulnerability CVSS: 6.8 18 Feb 2020, 19:15 UTC

ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via service.php.

CVE-2018-12420 icehrm vulnerability CVSS: 5.0 14 Jun 2018, 21:29 UTC

IceHrm before 23.0.1.OS has a risky usage of a hashed password in a request.