Horilla Unauthorized Access to Candidate Resume Files Due to Broken...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to retrieve sensitive candidate information without authentication. At time of publication there is no known patch.

Basic Information

ID CVE-2025-48869

Source GitHub_M

Published Sep 24, 2025 at 17:17

Modified Sep 24, 2025 at 17:26

Affected Product

Vendor horilla-opensource

Product horilla

Version = 1.3.0

Affected Versions horilla-opensource horilla = 1.3.0

CWE Classification

CWE-284

References

github.com /horilla-opensource/horilla/security/advisories/GHSA-99h5-x29f-727w

{
    "lastseen": "",
    "description": "Horilla is a free and open source Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to retrieve sensitive candidate information without authentication. At time of publication there is no known patch.",
    "published": "2025-09-24T17:17:40.979Z",
    "modified": "2025-09-24T17:26:56.854Z",
    "type": "cve",
    "title": "Horilla Unauthorized Access to Candidate Resume Files Due to Broken Access Control",
    "source": "GitHub_M",
    "references": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-99h5-x29f-727w",
    "id": "CVE-2025-48869",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "horilla-opensource horilla = 1.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "horilla",
    "version": "= 1.3.0",
    "vendor": "horilla-opensource",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Horilla Unauthorized Access to Candidate Resume Files Due to Broken Access Control_CVE-2025-48869