Horilla HRMS Open Redirect Vulnerability in Login Flow
Vulnerability
An open redirect vulnerability has been identified in Horilla, a free and open-source Human Resource Management System (HRMS), affecting versions prior to 1.3. This vulnerability allows an attacker to craft a URL that, when clicked by a user, redirects them to an external domain after logging in. Such redirections can lead to phishing or malicious sites, potentially allowing attackers to impersonate Horilla and deceive users.
Impact
Exploitation of this vulnerability could lead to open redirection, allowing users to be sent to malicious or phishing websites.
Reproduction
To reproduce this vulnerability, create a URL that points to the Horilla login page and includes a 'next' parameter with a URL to an external site. When the crafted URL is clicked, the user is directed to the Horilla login page. After logging in, the user is redirected to the external site specified in the 'next' parameter.
Remediation
Users can update to Horilla version 1.3 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.