CVE-2024-36656 – This vulnerability allows registered users of M... (How to Fix)

Q: What is the severity of CVE-2024-36656?

CVE-2024-36656 has a CVSS score of 6.1 (MEDIUM). This vulnerability allows registered users of MintHCM 4.0.3 to execute arbitrary JavaScript code through reflected cross-site scripting attacks. Attackers can inject malicious scripts that execute in victims' browsers when they visit specially crafted URLs. This affects all MintHCM deployments running version 4.0.3.

📋 TL;DR

This vulnerability allows registered users of MintHCM 4.0.3 to execute arbitrary JavaScript code through reflected cross-site scripting attacks. Attackers can inject malicious scripts that execute in victims' browsers when they visit specially crafted URLs. This affects all MintHCM deployments running version 4.0.3.

💻 Affected Systems

Products:

MintHCM

Versions: 4.0.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects registered users; unauthenticated users cannot exploit this vulnerability.

📦 What is this software?

Minthcm by Minthcm

View all CVEs affecting Minthcm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of application pages through script injection.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though some user interaction may still be required.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking malicious link) and authenticated access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.4 or later

Vendor Advisory: https://github.com/minthcm/minthcm/issues/67

Restart Required: No

Instructions:

1. Backup your current MintHCM installation. 2. Download MintHCM 4.0.4 or later from official sources. 3. Replace vulnerable files with patched versions. 4. Clear application cache if applicable.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize user inputs before processing.

Implement proper input sanitization in affected endpoints

Content Security Policy

all

Deploy Content Security Policy headers to restrict script execution sources.

Add 'Content-Security-Policy' header with script-src directives

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block XSS payloads
Disable user registration temporarily to limit attack surface

🔍 How to Verify

Check if Vulnerable:

Test vulnerable endpoints with XSS payloads like <script>alert('XSS')</script> and check if script executes.

Check Version:

Check MintHCM version in admin panel or configuration files.

Verify Fix Applied:

Retest with same XSS payloads after patching; scripts should be properly encoded or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags in URL parameters
Multiple failed XSS attempts from same IP

Network Indicators:

HTTP requests containing script tags or JavaScript in parameters

SIEM Query:

source="web_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-36656

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: June 14, 2024

Last Updated: June 18, 2025

🔗 References

https://github.com/minthcm/minthcm/issues/67 Exploit,Issue Tracking,Vendor Advisory
https://github.com/minthcm/minthcm/issues/67 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36656, you might also want to check these: