HIGH🇬🇧 English

CVE-2025-59525

CVSS 7.7v4.0pub. 2025-09-24upd. 2025-09-29

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Horilla

    APP
    Horilla
    < 1.4.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
XSS
CWE
Referencje

Powiązane podatności

CVE-2025-59832CRITICAL9.9PL ✓ten sam produkt

Stored XSS w edytorze komentarzy Horilla HRMS — przejęcie sesji admina

CVE-2026-24038HIGH8.1ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling ...

CVE-2026-24010HIGH8.0ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerabilit...

CVE-2025-48869HIGH7.5ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access up...

CVE-2025-48868HIGH7.2ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execut...

CVE-2025-59525 — HIGH 7.7 | CVEbaza.pl