Horilla HRMS Cross-Site Scripting Vulnerability in Version 1.4.0

A cross-site scripting (XSS) vulnerability has been identified in Horilla Human Resource Management System (HRMS) version 1.4.0. The issue arises in the has_xss() function, which attempts to prevent XSS by matching input against a set of regular expression patterns. However, these patterns are incomplete and context-agnostic, allowing attackers to easily bypass them. Exploitation of this vulnerability enables attackers to redirect users to malicious domains, execute external JavaScript, and steal CSRF tokens, which can be used to launch CSRF attacks against administrators.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser. This could lead to the theft of cookies, including CSRF tokens, which could be used to perform actions on behalf of the user or admin.

Reproduction

To reproduce this vulnerability, create a project in Horilla HRMS version 1.4.0. Use a payload that includes a script injection in the project name field. Once the project is saved, the injected script will execute, demonstrating the XSS vulnerability. The injected script can be crafted to, for example, steal cookies and CSRF tokens by sending them to an external server.

Remediation

Users can upgrade to Horilla version 1.5.0, where this vulnerability has been fixed.