Horilla HRM Stored Cross-Site Scripting Vulnerability in Project and Task Modules

A stored cross-site scripting vulnerability has been identified in Horilla HRM version 1.3. This issue allows authenticated admin or privileged users to inject malicious JavaScript into various fields within the Project and Task modules. The injected scripts are saved in the database and executed when the affected fields are viewed by an admin or privileged user. While the vulnerability cannot be exploited by unauthenticated users, it poses a significant risk of session hijacking and unauthorized actions within high-privilege accounts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed automatically when an admin views the affected project or task. This could lead to session hijacking, unauthorized actions on behalf of the admin, and potential privilege escalation.

Reproduction

To reproduce this vulnerability, log in as an admin or privileged user and navigate to the project creation page. Inject a JavaScript payload into the Project Name or any other affected field, then save the project. The payload will execute when the project is viewed. This can also be demonstrated by injecting a script into the Task Title or other task-related fields, which will execute when the task is viewed in the /project/task-all/ module.