Horilla HRMS Insecure Direct Object Reference Vulnerability in Document Viewer

A vulnerability allowing unauthorized access to employee documents has been identified in Horilla HRMS version 1.5.0. This insecure direct object reference (IDOR) issue allows any authenticated user to view other employees' uploaded files by simply changing the document ID in the request. The flaw exposes sensitive HR materials, including identity documents, contracts, certificates, and other private employee records. The vulnerability arises because the document viewer endpoint retrieves files based solely on their numeric IDs, without verifying if the requesting user has the right to access them.

Impact

Exploitation of this vulnerability leads to unauthorized access to private employee files, exposing sensitive HR data and potentially causing compliance or privacy issues if the documents contain personal or regulated information.

Reproduction

To reproduce this vulnerability, log in as an employee and navigate to the document viewer. Once a request for one of your own documents is sent, note the document ID. Then, modify the request to access documents belonging to other employees by changing the ID to one that corresponds to their files. The server will respond with the requested document, bypassing authorization checks.