CVE-2025-60934

Vulnerability

Description

Analysis of CVE-2025-60934 reveals multiple stored cross-site scripting (XSS) vulnerabilities in the index.php component of HR Performance Solutions Performance Pro version 3.19.17 and earlier [1]. The root cause is improper neutralization of user input during web page generation, specifically within the Employee Notes functionality. Unsanitized input submitted via POST requests to the index.php?mode=mNote&job=update endpoint is stored server-side and later rendered into the DOM without encoding, allowing persistent JavaScript injection [1]. Vulnerable parameters include the title and description fields of Employee Notes [1].

Exploitation

Prerequisites and Method

Exploitation requires an authenticated user account because the vulnerable functionality is only accessible after login [1]. An attacker can inject a malicious JavaScript payload into either the title or description parameter when creating or updating an Employee Note. The injected title payload is triggered when any user views the home page or prints employee notes. The description payload is triggered when the note is printed or viewed via /viewnote.php?id= [1]. The attacker can then share the crafted note URL or link to other authenticated users through phishing or social engineering to achieve execution in their browsers [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts or HTML in the context of the victim's browser session. This can lead to alteration of the user interface, data exfiltration (e.g., session cookies), or redirection to malicious sites [1]. The vulnerability is classified as stored (persistent) XSS because the injected payload remains on the server and affects any subsequent viewer.

Mitigation

The vendor has addressed these vulnerabilities in version PP-Release-6.3.2.0, which is the patched release [1]. Users running Performance Pro v3.19.17 or earlier should upgrade immediately to remediate the issue.