Horilla HR Software Improper Access Control Vulnerability Allowing Unauthorized Document Upload
Vulnerability
A vulnerability allowing improper access control has been identified in Horilla HR Software versions 1.4.0 prior to 1.5.0. This vulnerability allows any authenticated employee to upload documents on behalf of another employee without proper authorization. The issue arises from inadequate server-side validation of the employee_id parameter during file upload processes, enabling authenticated employees to manipulate the parameter and upload documents for any employee.
Impact
Exploitation of this vulnerability allows authenticated employees to upload documents on behalf of other employees, potentially leading to unauthorized access or manipulation of employee records.
Reproduction
To reproduce this vulnerability, an authenticated employee can intercept the file upload request and modify the employee_id parameter to that of a different employee. Once the request is sent, the document will be uploaded under the victim's account.
Remediation
Users can upgrade to Horilla HR Software version 1.5.0, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.