exploitDog

CVE-2025-59525

Опубликовано: 24 сент. 2025

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG (and via allowed <embed>), which can be chained to execute JavaScript whenever users view impacted content (e.g., announcements). This can result in admin account takeover. This issue has been patched in version 1.4.0.

Ссылки

https://github.com/Mmo-kali/CVE/blob/main/CVE-2025-59525/2025-08-Horilla_Vulnerability_2.pdf
Exploit
Third Party Advisory
https://github.com/horilla-opensource/horilla/releases/tag/1.4.0
Release Notes
https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rp5m-vpqr-vpvp
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:*

Версия до 1.4.0 (исключая)

EPSS

Процентиль: 21%

0.0007

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

EPSS

Процентиль: 21%

0.0007

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79