Buraksuu

**Name of the Vulnerable Software and Affected Versions** Horilla versions prior to 1.5.0 **Description** Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload issue, combined with social engineering techniques, allows authenticated users to launch phishing attacks. An attacker can upload a malicious HTML file, disguised as a profile picture, to create a login page replica that steals user credentials. When a victim accesses the uploaded file URL, they encounter a deceptive "Session Expired" message prompting re-authentication. All entered credentials are then sent to the attacker's server, potentially leading to Account Takeover. The vulnerable functionality involves uploading files, specifically HTML files, which are then served to other users. The **API endpoint** used for file uploads is not specified. The vulnerable **parameter** is the file upload field for profile pictures. **Recommendations** Update Horilla to version 1.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** Horilla versions prior to 1.5.0 **Description** Horilla is a Human Resource Management System (HRMS). Versions prior to 1.5.0 are susceptible to a cross-site scripting issue. This occurs because the extension and content-type are not validated during the profile photo update process. **Recommendations** Update to version 1.5.0 or later.