# Exploit Title: ICE Hrm 29.0.0.OS - 'Account Takeover' Cross-Site Scripting and Session Fixation  
# Exploit Author: *Piyush Patil *& Rafal Lykowski  
# Vendor Homepage:  
# Version: 29.0.0.OS  
# Tested on: Windows 10 and Kali  
ICE Hrm Version 29.0.0.OS is vulnerable to session fixation and reflected cross site scripting leading to full account takeover.  
#Steps to reproduce the attack:  
1-Open 2 different browsers (or one with 2 windows - one of them opened in incognito mode)  
2-Log in to the system,   
3-Paste this payload into the address bar and load it:  
It simulates victim executing XSS.  
4-In the incognito window do not log in but just modify session cookie value to 12345.  
5-Navigate to any application url - you will realize that you are authorized. It means that your account was taken over.  
#Video POC: