Horilla has Improper Input Sanitization Leading to XSS and Admin...

7.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N

Description

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0.

Basic Information

ID CVE-2025-59525

Source GitHub_M

Published Sep 24, 2025 at 18:15

Affected Product

Vendor horilla-opensource

Product horilla

Version < 1.4.0

Affected Versions horilla-opensource horilla < 1.4.0

CWE Classification

CWE-79 CWE-434

References

{
    "lastseen": "",
    "description": "Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0.",
    "published": "2025-09-24T18:15:12.850Z",
    "modified": "2025-09-24T18:15:12.850Z",
    "type": "cve",
    "title": "Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover",
    "source": "GitHub_M",
    "references": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rp5m-vpqr-vpvp\nhttps://github.com/Mmo-kali/CVE/blob/main/CVE-2025-59525/2025-08-Horilla_Vulnerability_2.pdf\nhttps://github.com/horilla-opensource/horilla/releases/tag/1.4.0",
    "id": "CVE-2025-59525",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "horilla-opensource horilla < 1.4.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "horilla",
    "version": "< 1.4.0",
    "vendor": "horilla-opensource",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover_CVE-2025-59525