CVE-2025-48867

Exploit

EPSS 0.06%
Veröffentlicht 24.09.2025 18:15:37
Zuletzt bearbeitet 29.09.2025 14:06:04
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) vulnerability in Horilla HRM 1.3.0 allows authenticated admin or privileged users to inject malicious JavaScript payloads into multiple fields in the Project and Task modules. These payloads persist in the database and are executed when viewed by an admin or other privileged users through the web interface. Although the issue is not exploitable by unauthenticated users, it still poses a high risk of session hijacking and unauthorized action within high-privilege accounts. At time of publication there is no known patch.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Horilla ≫ Horilla Version1.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.175

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/horilla-opensource/horilla/security/advisories/GHSA-w242-xv47-j55r

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-48867

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-48867

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-48867

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-48867