CVE-2025-59832
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-25

Last updated on: 2025-09-29

Assigner: GitHub, Inc.

Description
Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, there is a stored XSS vulnerability in the ticket comment editor. A low-privilege authenticated user could run arbitrary JavaScript in an admin’s browser, exfiltrate the admin’s cookies/CSRF token, and hijack their session. This issue has been patched in version 1.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-25
Last Modified
2025-09-29
Generated
2026-06-16
AI Q&A
2025-09-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59832
EUVD
EUVD-2025-31100
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
horilla horilla to 1.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stored Cross-Site Scripting (XSS) issue in the ticket comment editor of Horilla versions prior to 1.4.0. A low-privilege authenticated user can inject arbitrary JavaScript code that will execute in an administrator's browser. This malicious script can steal the admin's cookies and CSRF tokens, allowing the attacker to hijack the admin's session.

Impact Analysis

The vulnerability can lead to an attacker gaining unauthorized access to an administrator's session by stealing cookies and CSRF tokens. This can result in the attacker performing administrative actions, accessing sensitive data, and potentially compromising the entire HRMS system.

Mitigation Strategies

Upgrade Horilla to version 1.4.0 or later, as this version contains the patch for the stored XSS vulnerability in the ticket comment editor. Until the upgrade is applied, restrict low-privilege authenticated users from accessing the ticket comment editor to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59832. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart