CVE-2025-12872

Vulnerability

Overview

CVE-2025-12872 is a stored cross-site scripting (XSS) vulnerability found in aEnrich's a+HRD (version 7.5 and earlier) and a+HCM (version 8.1) products. The root cause is insufficient sanitization of uploaded files, allowing authenticated remote attackers to inject persistent JavaScript code into the application [1][2].

Exploitation

Prerequisites

An attacker must first obtain valid authentication credentials for the target system. Once authenticated, they can upload a file containing malicious JavaScript. The attack requires user interaction: the victim must be tricked into visiting a specific URL that triggers the stored payload [1][2]. The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects the need for low-privilege access and user interaction [1].

Impact

When a victim browses to the crafted URL, the malicious script executes in their browser context. This can lead to disclosure of sensitive information disclosure (e.g., session tokens or personal data) and limited manipulation of page content. The impact is confined to the client side, with no direct server compromise [1][2].

Mitigation

AEnrich has released security updates to address this vulnerability. Users are advised to upgrade a+HRD to a version later than 7.5 and a+HCM to a version later than 8.1. No workarounds have been published [1][2].