Gikyon

**Name of the Vulnerable Software and Affected Versions** Horilla versions prior to 1.4.0 **Description** Horilla is a Human Resource Management System (HRMS). A stored cross-site scripting (XSS) issue exists in the ticket comment editor for versions prior to 1.4.0. An authenticated user with limited privileges can execute arbitrary JavaScript code in an administrator’s browser. This could allow for the theft of cookies and CSRF tokens, potentially leading to session hijacking. The issue affects the ticket comment editor functionality. **Recommendations** Update to version 1.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Horilla versions prior to 1.4.0 **Description** Horilla, a Human Resource Management System (HRMS), has an issue where the file upload process lacks server-side validation. Client-side validation can be bypassed, allowing an attacker to upload an executable HTML document. When a privileged user views this file, embedded scripts execute, sending session cookies or other credentials to an attacker-controlled endpoint. The attacker can then use these credentials to impersonate the administrator. The vulnerable flow involves uploading a file and the subsequent viewing of the uploaded content by a privileged user. The attack relies on bypassing client-side checks and exploiting the lack of server-side enforcement. **Recommendations** Update to version 1.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** Horilla versions prior to 1.4.0 **Description** Horilla is a Human Resource Management System (HRMS). Improper sanitization within the application allows for Cross-Site Scripting (XSS) through uploaded SVG files and allowed `<embed>` tags. This can lead to the execution of JavaScript when users view affected content, such as announcements, potentially resulting in administrative account takeover. **Recommendations** Update to version 1.4.0 or later.