CVE-2025-59832
BaseFortify
Publication date: 2025-09-25
Last updated on: 2025-09-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| horilla | horilla | to 1.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in the ticket comment editor of Horilla versions prior to 1.4.0. A low-privilege authenticated user can inject arbitrary JavaScript code that will execute in an administrator's browser. This malicious script can steal the admin's cookies and CSRF tokens, allowing the attacker to hijack the admin's session.
How can this vulnerability impact me? :
The vulnerability can lead to an attacker gaining unauthorized access to an administrator's session by stealing cookies and CSRF tokens. This can result in the attacker performing administrative actions, accessing sensitive data, and potentially compromising the entire HRMS system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Horilla to version 1.4.0 or later, as this version contains the patch for the stored XSS vulnerability in the ticket comment editor. Until the upgrade is applied, restrict low-privilege authenticated users from accessing the ticket comment editor to prevent exploitation.