Authoria HR Suite is prone to cross-site scripting attacks.
An attacker could construct a malicious link to a vulnerable host that contains arbitrary HTML and script code. If this link is visited by a web user, the attacker-supplied code will be rendered in their browser, in the security context of the vulnerable site.
Authoria HR contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'script' parameters upon submission to the 'athcgi.exe' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known upgrades, patches or workarounds available to correct this vulnerability.