CVE-2026-24035

Опубликовано: 22 янв. 2026

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue.

Ссылки

https://drive.google.com/file/d/1i00-NnipvxH8bGY-SyqEjnDQfxIbVGRR/view?usp=sharing
Exploit
https://github.com/horilla-opensource/horilla/releases/tag/1.5.0
Release Notes
https://github.com/horilla-opensource/horilla/security/advisories/GHSA-fm3f-xpgx-8xr3
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:horilla:horilla:1.4.0:*:*:*:*:*:*:*

EPSS

Процентиль: 1%

0.0001

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-284