HJSoft HCM Human Resources Management System SQL Injection Vulnerability

A SQL injection vulnerability has been identified in HJSoft HCM Human Resources Management System versions prior to 20250822. The issue arises in the file '/templates/attestation/../../selfservice/lawresource/downlawbase', where manipulation of the 'ID' argument allows for SQL injection. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to the '/templates/attestation/../../selfservice/lawresource/downlawbase' endpoint with a crafted 'id' parameter that includes SQL injection payloads. The injection can be verified by using payloads that, for example, append SQL commands to the original query, such as 'id=11';waitfor delay '0:0:3'--.