Horilla HRMS Cross-Site Scripting Vulnerability Leading to Admin Account Takeover

A cross-site scripting (XSS) vulnerability has been identified in Horilla, a free and open-source Human Resource Management System (HRMS), prior to version 1.4.0. The issue arises from improper input sanitization, which allows XSS via uploaded SVG files (and through permitted <embed> tags). This vulnerability can be exploited to execute JavaScript when users view the affected content, such as announcements, potentially leading to the takeover of admin accounts.

Impact

Exploitation of this vulnerability allows for stored and reflective cross-site scripting via uploaded assets and embedded content. This could result in session hijacking, credential theft, and privilege escalation to admin rights, as any high-privilege user viewing the compromised content could be affected.

Reproduction

To reproduce this vulnerability, upload an SVG file containing embedded scripts. The application currently allows such uploads without proper sanitization. Alternatively, use an <embed> tag to include the malicious SVG, which will execute the embedded JavaScript when the content is viewed. This can be done in areas where rich content is rendered, such as announcements.

Remediation

Users are advised to update to Horilla version 1.4.0, where this vulnerability has been patched.