Rafal Lykowski

7 exploits Active since May 2021
CVE-2021-33394 WRITEUP MEDIUM WRITEUP
Cubecart 6.4.2 - Session Fixation
Cubecart 6.4.2 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.
CVSS 5.4
CVE-2021-34243 WRITEUP MEDIUM WRITEUP
Icehrm - XSS
A stored cross site scripting (XSS) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to execute arbitrary web scripts or HTML via a crafted file uploaded into the Document Management tab. The exploit is triggered when a user visits the upload location of the crafted file.
CVSS 5.4
CVE-2021-34244 WRITEUP HIGH WORKING POC
Icehrm - CSRF
A cross site request forgery (CSRF) vulnerability was discovered in Ice Hrm 29.0.0.OS which allows attackers to create new admin accounts or change users' passwords.
CVSS 8.8
CVE-2021-35045 WRITEUP MEDIUM WRITEUP
Ice Hrm 29.0.0.OS - XSS
Cross site scripting (XSS) vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint.
CVSS 6.1
CVE-2021-35046 WRITEUP MEDIUM WRITEUP
Ice Hrm 29.0.0 - Info Disclosure
A session fixation vulnerability was discovered in Ice Hrm 29.0.0 OS which allows an attacker to hijack a valid user session via a crafted session cookie.
CVSS 6.1
EIP-2026-107726 EXPLOITDB text WORKING POC
ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Request Forgery (CSRF)
EIP-2026-107727 EXPLOITDB xml WORKING POC
ICE Hrm 29.0.0.OS - 'xml upload' Stored Cross-Site Scripting (XSS)