CVE-2025-48867

{"id": "CVE-2025-48867", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2025-48867", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-24T17:35:26.399473Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "horilla-opensource", "product": "horilla", "versions": [{"status": "affected", "version": "= 1.3.0"}]}]}], "published": "2025-09-24T18:15:37.510", "references": [{"url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-w242-xv47-j55r", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) vulnerability in Horilla HRM 1.3.0 allows authenticated admin or privileged users to inject malicious JavaScript payloads into multiple fields in the Project and Task modules. These payloads persist in the database and are executed when viewed by an admin or other privileged users through the web interface. Although the issue is not exploitable by unauthenticated users, it still poses a high risk of session hijacking and unauthorized action within high-privilege accounts. At time of publication there is no known patch."}, {"lang": "es", "value": "Horilla es un Sistema de Gesti\u00f3n de Recursos Humanos (HRMS) gratuito y de c\u00f3digo abierto. Una vulnerabilidad de cross-site scripting (XSS) almacenado en Horilla HRM 1.3.0 permite a usuarios administradores o privilegiados autenticados inyectar cargas \u00fatiles de JavaScript maliciosas en m\u00faltiples campos en los m\u00f3dulos de Proyecto y Tarea. Estas cargas \u00fatiles persisten en la base de datos y se ejecutan cuando son vistas por un administrador u otros usuarios privilegiados a trav\u00e9s de la interfaz web. Aunque el problema no es explotable por usuarios no autenticados, a\u00fan representa un alto riesgo de secuestro de sesi\u00f3n y acci\u00f3n no autorizada dentro de cuentas de alto privilegio. Al momento de la publicaci\u00f3n no existe un parche conocido."}], "lastModified": "2026-06-17T09:30:24.550", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:horilla:horilla:1.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB689BA6-40B8-4E5F-AEB4-6DCB6C76A651"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}