CVE-2025-51989

HTML injection vulnerability in the registration interface in Evolution Consulting Kft. HRmaster module v235 allows an attacker to inject HTML tags into the "keresztnév" (firstname) field, which will be sent out in an email resulting in possible Phishing scenarios against any, previously not registered, email address.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
http://evolution.com
http://hrmaster.com
https://github.com/Apor/Vulnerabilities/tree/main/CVE-2025-51989
https://hrmaster.hu/modulok/toborzas-es-kivalasztas
https://www.evolution-consulting.hu/

Configurations

No configuration.

History

22 Aug 2025, 14:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.0
Summary		(es) Una vulnerabilidad de inyección HTML en la interfaz de registro del módulo HRmaster v235 de Evolution Consulting Kft. permite a un atacante inyectar etiquetas HTML en el campo "keresztnév" (nombre), que se enviarán en un correo electrónico, lo que puede provocar phishing contra cualquier dirección de correo electrónico no registrada previamente.
CWE		CWE-80

21 Aug 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-21 20:15

Updated : 2025-08-22 18:08

NVD link : CVE-2025-51989

Mitre link : CVE-2025-51989

CVE.ORG link : CVE-2025-51989

JSON object : View

Products Affected

No product.

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

7.0 /10