Horilla HRMS Improper Access Control Vulnerability Allows Document Self-Approval
Vulnerability
A vulnerability in Horilla Human Resource Management System (HRMS) version 1.4.0 and prior allows low-privileged employees to self-approve uploaded documents. The approval interface is meant for administrators or users with higher privileges, but a lack of proper server-side authorization on the approval endpoint enables standard employees to change the approval status of their documents. This exploitation allows employees to manipulate application states intended for admin oversight, potentially disrupting HR processes by facilitating the submission of unverified documents.
Impact
Exploitation of this vulnerability allows authenticated employees to bypass the document approval process, automatically marking their submissions as approved. This undermines the integrity of HR procedures, including onboarding checks and credential verification.
Reproduction
To reproduce this vulnerability, an admin or high-privileged user must first request a document from an employee. The employee can then upload a document in the requested format and intercept the approval request. By editing the request to change the status from 'requested' to 'approved' and forwarding it, the document will be approved, demonstrating the access control flaw.
Remediation
Users can upgrade to Horilla version 1.5.0, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.