Abstract Advisory Information
Security issue affecting the product EasyToRecruit (E2R), a software dedicated to the management of the recruitment.
The upload feature and the Candidate Profile Management feature are prone to Cross Site Scripting (XSS) injection in multiple locations.
Authors: Dominique Righetto
Note: HR Recruitment claims only one custom version is concerned
Common Vulnerability Scoring System
The vulnrability is patched in version 2.11
Vulnerability Disclosure Timeline
- 07/12/2018: Vulnerability discovered.
- 11/12/2018: Ask for contact to HR Recruitment
- 20/12/2018: HR Recruitment acknowledge and fix the vulnerability
- 21/12/2018: CVE ID assigned by MITRE
- 03/01/2019: HR Recruitment claims only one custom version is concerned
- 07/01/2019: Decision taken to still publish the vulnerability
- 17/01/2019: Ask to MITRE if CVE ID is still available.
- 09/04/2019: New CVE ID assigned by MITRE
- 15/04/2019: Public disclosure