Horilla has HTML Injection Issue that, with Phishing, Leads to Account Takeover
Description
Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.
Affected products
1- Range: 1.0.0, 1.1.0, 1.2.0, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/horilla-opensource/horilla/releases/tag/1.5.0mitrex_refsource_MISC
- github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.