Horilla HRMS Document Upload Endpoint Insecure Direct Object Reference Vulnerability

A vulnerability in Horilla HRMS version 1.5.0 allows authenticated users to exploit an insecure direct object reference in the employee document upload endpoint. By altering the document ID in the upload request, users can overwrite, replace, or corrupt another employee's document. This flaw enables unauthorized modifications of HR records, as the system does not verify document ownership or modification permissions before processing the upload.

Impact

Exploitation of this vulnerability allows for the unauthorized replacement of employee documents, tampering with HR records, and potential disruption of onboarding, verification, and compliance workflows. Additionally, it could be used to introduce misleading or malicious files into other users' records.

Reproduction

To reproduce this vulnerability, log in as an employee with a document uploaded. Navigate to the document upload/update section and capture a valid request using a tool like Burp Suite. Note the document ID being used, then change it to another employee's document ID before resubmitting the request with a file upload. The document will be replaced without authorization.