Horilla HRMS Stored Cross-Site Scripting Vulnerability Leading to Admin Account Takeover

A stored cross-site scripting vulnerability has been identified in Horilla, a free and open-source Human Resource Management System, prior to version 1.4.0. This vulnerability exists in the ticket comment editor, where low-privilege authenticated users can inject arbitrary JavaScript. When an admin views the ticket, the injected script executes in the admin's browser, allowing the attacker to exfiltrate cookies and CSRF tokens, hijack the admin's session, and perform actions on behalf of the admin.

Impact

Exploitation of this vulnerability allows for a complete takeover of an admin account, including all associated privileges and session rights.

Reproduction

To reproduce this vulnerability, a low-privilege authenticated user can post a comment on a ticket containing a crafted XSS payload. Once the comment is saved, an admin or privileged user must view the ticket, which will trigger the execution of the injected script in the admin's browser. The executed script can then exfiltrate the admin's cookies and CSRF token, and use this information to hijack the admin's session by making authenticated requests that replicate admin actions.

Remediation

Users are advised to update to Horilla version 1.4.0 or later, where this vulnerability has been patched.