HIGH🇬🇧 English

CVE-2026-24038

CVSS 8.1v3.1pub. 2026-01-22upd. 2026-01-29

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
  • Horilla

    APP
    Horilla
    1.4.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Auth Bypass
CWE
Referencje

Powiązane podatności

CVE-2025-59832CRITICAL9.9PL ✓ten sam produkt

Stored XSS w edytorze komentarzy Horilla HRMS — przejęcie sesji admina

CVE-2026-24010HIGH8.0ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerabilit...

CVE-2025-59525HIGH7.7ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sa...

CVE-2025-48869HIGH7.5ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access up...

CVE-2025-48868HIGH7.2ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execut...

CVE-2026-24038 — HIGH 8.1 | CVEbaza.pl