CVE-2025-59525
BaseFortify
Publication date: 2025-09-24
Last updated on: 2025-09-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| horilla | horilla | to 1.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Horilla HRMS prior to version 1.4.0 is caused by improper sanitization of uploaded SVG files and allowed <embed> elements. This flaw allows attackers to inject malicious JavaScript code (cross-site scripting or XSS) that executes when users view affected content, such as announcements. The XSS can be chained to take over administrator accounts.
How can this vulnerability impact me? :
The vulnerability can lead to an attacker executing arbitrary JavaScript in the context of the HRMS application, potentially resulting in the takeover of administrator accounts. This could allow unauthorized access to sensitive HR data, manipulation of system settings, or other malicious actions within the application.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Horilla to version 1.4.0 or later, as this version contains the patch that fixes the improper sanitization allowing XSS via uploaded SVG and <embed> elements. Until the upgrade can be performed, avoid uploading SVG files and restrict user access to content that may contain embedded SVG or <embed> elements to reduce the risk of exploitation.