CRITICAL🇵🇱 Wersja polska

CVE-2025-59832

CVSS 9.9v3.1pub. 2025-09-25upd. 2025-09-29

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, there is a stored XSS vulnerability in the ticket comment editor. A low-privilege authenticated user could run arbitrary JavaScript in an admin’s browser, exfiltrate the admin’s cookies/CSRF token, and hijack their session. This issue has been patched in version 1.4.0.

🤖 AI Analysis
How it works

An attacker logged in as a regular user injects malicious JavaScript code into the comment field in the ticket module. The injected payload is permanently stored in the database and rendered without proper sanitization each time the comment is displayed to other users. When an administrator opens a view containing the infected comment, the script executes in their browser context, allowing for theft of session cookies and CSRF token.

Impact

An attacker can steal the administrator's session (cookies, CSRF token) and fully take over their account, gaining unauthorized access to all HRMS system functions with admin privileges.

Mitigation & patch

Update Horilla HRMS to version 1.4.0, where the vulnerability was patched by the vendor.

Who is affected

Horilla HRMS in versions before 1.4.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
  • Horilla

    APP
    Horilla
    < 1.4.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2026-24038HIGH8.1ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling ...

CVE-2026-24010HIGH8.0ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerabilit...

CVE-2025-59525HIGH7.7ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sa...

CVE-2025-48869HIGH7.5ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access up...

CVE-2025-48868HIGH7.2ten sam produkt

Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execut...