Horilla HRMS Unauthenticated Access to Unpublished Job Postings Vulnerability

A vulnerability in Horilla HR Management System (HRMS) versions 1.4.0 and above allows unauthorized users to access unpublished job postings through the /recruitment/recruitment-details/ endpoint without authentication. The exposed information includes draft job titles, descriptions, and application links, enabling users to view unpublished roles and apply for them. This unauthorized access can lead to confusion among candidates and disrupt internal hiring processes by leaking sensitive information about upcoming recruitment plans and departmental needs.

Impact

Exploitation of this vulnerability allows unauthorized users to access and apply for unpublished job positions, causing potential confusion for candidates and additional workload for HR personnel. Furthermore, it risks disclosing confidential internal hiring information that was not intended for public release.

Reproduction

To reproduce this vulnerability, create a job listing in Horilla HRMS version 1.4.0 or above and set its privacy to 'Unpublished'. Despite the listing being unpublished, it can be accessed through the recruitment details endpoint, where the application link is also available.

Remediation

Users can upgrade to Horilla version 1.5.0, where this vulnerability has been fixed.