CVE-2025-60932

Vulnerability

Overview

The Current Goals module of HR Performance Solutions Performance Pro v3.19.17 and earlier contains multiple stored cross-site scripting (XSS) vulnerabilities. The application fails to properly sanitize or encode user-supplied input in several fields, including Goal Name, Goal Notes, Action Step Name, Action Step Description, Note Name, and Goal Description. Malicious payloads injected by an authenticated user are stored server-side and later rendered in the browser of any user viewing the affected pages, leading to arbitrary script execution [1].

Exploitation

Method

An authenticated attacker can inject malicious JavaScript into the vulnerable input fields via POST requests to the goal setup endpoint (index.php?mode=mGoalSetup&job=update&id=<goal_id>). The payload is then reflected when other users view or print goals, such as through viewgoals.php?printview=1&type=current. The attacker may lure victims by sending a crafted URL via phishing or social engineering, and when the victim navigates to that URL, the stored payload executes in the victim's browser context [1].

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the victim's browser, alter the application's user interface, and potentially redirect victims to malicious sites. Because the stored input persists on the server, every subsequent viewer of the affected goals is exposed to the attack, increasing the blast radius beyond a single session [1].

Mitigation

The vendor has released a patched version, PP-Release-6.3.2.0, which addresses these vulnerabilities. Users are strongly advised to update to this version or later to eliminate the risk of stored XSS. No other workarounds are documented in the available reference [1].