CVE-2025-59524

Name of the Vulnerable Software and Affected Versions Horilla versions prior to 1.4.0

Description Horilla, a Human Resource Management System (HRMS), has an issue where the file upload process lacks server-side validation. Client-side validation can be bypassed, allowing an attacker to upload an executable HTML document. When a privileged user views this file, embedded scripts execute, sending session cookies or other credentials to an attacker-controlled endpoint. The attacker can then use these credentials to impersonate the administrator. The vulnerable flow involves uploading a file and the subsequent viewing of the uploaded content by a privileged user. The attack relies on bypassing client-side checks and exploiting the lack of server-side enforcement.

Recommendations Update to version 1.4.0 or later.