Abstract Advisory Information
Security issue affecting the product EasyToRecruit (E2R), a software dedicated to the management of the recruitment.
The upload feature and the Candidate Profile Management feature are prone to Cross Site Scripting (XSS) injection in multiple locations.
Author: Dominique Righetto
Version affected
Name: EasyToRecruit
Versions: 2.10Note: HR Recruitment claims only one custom version is concernedCommon Vulnerability Scoring System
6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NPatches
The vulnerability is patched in version 2.11
References
None
Vulnerability Disclosure Timeline
- 07/12/2018: Vulnerability discovered.
- 11/12/2018: Ask for contact to HR Recruitment
- 20/12/2018: HR Recruitment acknowledge and fix the vulnerability
- 21/12/2018: CVE ID assigned by MITRE
- 03/01/2019: HR Recruitment claims only one custom version is concerned
- 07/01/2019: Decision taken to still publish the vulnerability
- 17/01/2019: Ask to MITRE if CVE ID is still available.
- 09/04/2019: New CVE ID assigned by MITRE
- 15/04/2019: Public disclosure