Infor Global HR Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Infor Global HR versions 11.23.03.00.21 and prior. This issue allows remote attackers to execute arbitrary code by injecting malicious payloads into the class parameter of a specific URL endpoint. The vulnerability arises from insufficient input sanitization, which enables the execution of injected scripts in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, modify the class parameter in the URL to include a malicious payload, such as JavaScript or HTML code. Send the crafted URL to a victim. When the victim navigates to the modified URL, the application reflects the malicious input into the error message without proper sanitization, allowing the injected payload to execute in the victim's browser.