Horilla is a free and open source Human Resource Management System (HRMS). Prior to version 1.4.0, there is a stored XSS vulnerability in the ticket comment editor. A low-privilege authenticated user could run arbitrary JavaScript in an admin’s browser, exfiltrate the admin’s cookies/CSRF token, and hijack their session. This issue has been patched in version 1.4.0.
References
| Link | Resource |
|---|---|
| https://github.com/Mmo-kali/CVE/blob/main/CVE-2025-59832/2025-08-Horilla_Vulnerability_1.pdf | Exploit Third Party Advisory |
| https://github.com/horilla-opensource/horilla/security/advisories/GHSA-8x78-6q9g-hv2h | Exploit Vendor Advisory |
| https://github.com/horilla-opensource/horilla/security/advisories/GHSA-8x78-6q9g-hv2h | Exploit Vendor Advisory |
Configurations
History
29 Sep 2025, 14:03
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/Mmo-kali/CVE/blob/main/CVE-2025-59832/2025-08-Horilla_Vulnerability_1.pdf - Exploit, Third Party Advisory | |
| References | () https://github.com/horilla-opensource/horilla/security/advisories/GHSA-8x78-6q9g-hv2h - Exploit, Vendor Advisory | |
| First Time |
Horilla horilla
Horilla |
|
| CPE | cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:* |
25 Sep 2025, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/horilla-opensource/horilla/security/advisories/GHSA-8x78-6q9g-hv2h - |
25 Sep 2025, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-25 15:16
Updated : 2025-09-29 14:03
NVD link : CVE-2025-59832
Mitre link : CVE-2025-59832
CVE.ORG link : CVE-2025-59832
JSON object : View
Products Affected
horilla
- horilla
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')