GroupSession Cross-Site Scripting Vulnerability

MEDIUM (6.1) No Patch (2 days)
cwe-79aenrichauthentication-bypasshr-softwaretoken-forgery

Threat Intelligence

Low Risk
EPSS Score: 0.03% chance of exploitation (percentile: 9%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

GroupSession is a web-based HR management software used by some organizations for employee management. This vulnerability allows attackers to execute arbitrary scripts on the user's web browser by accessing a crafted page or URL, posing a risk of data theft and unauthorized access.

Am I affected?

You're affected if you use Reflected cross-site scripting vulnerability exists. Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.

Affected Products

aEnrich / a+HRD

How to fix

To fix this issue:

  • Upgrade to GroupSession ver5.3.0 or later.
    • For GroupSession Free edition: Go to the official website and follow the upgrade instructions.
    • For GroupSession byCloud and ZION editions, contact the vendor directly for a patched version.

Immediate mitigations:

  • Restrict network access to your GroupSession instance (firewall it from the public internet).
  • Audit admin account activity for suspicious access patterns.
  • Monitor for unauthorized token creation.

References