CVE-2025-48867 is a stored cross-site scripting (XSS) vulnerability identified in Horilla HRM version 1.3.0, an open-source Human Resource Management System. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79), specifically within the Project and Task modules. Authenticated users with admin or privileged roles can inject malicious JavaScript payloads into multiple input fields. These payloads are stored persistently in the backend database and executed when viewed by other privileged users through the web interface. This stored XSS attack vector enables attackers to hijack sessions, perform unauthorized actions, or escalate privileges within the application context. The vulnerability requires both authentication and user interaction (viewing the malicious content) but does not allow exploitation by unauthenticated users. At the time of publication, no patch or fix is available, increasing the risk for organizations relying on this version. The CVSS 3.1 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, and user interaction needed, with partial confidentiality and integrity impact but no availability impact. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable module. Although no known exploits are currently in the wild, the potential for session hijacking and unauthorized privileged actions makes this a significant concern for organizations using Horilla HRM 1.3.0.

For European organizations using Horilla HRM 1.3.0, this vulnerability poses a risk to the confidentiality and integrity of sensitive HR data and administrative controls. Attackers with privileged access could inject malicious scripts that compromise sessions of other administrators or privileged users, potentially leading to unauthorized data access, manipulation of HR records, or disruption of HR workflows. Given the sensitive nature of HR data, including personal employee information and organizational structure, exploitation could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. The requirement for authenticated privileged access limits the attack surface but insider threats or compromised admin credentials could be leveraged. The lack of a patch means organizations must rely on compensating controls to mitigate risk. The medium CVSS score reflects moderate risk but the potential impact on high-privilege accounts elevates the threat in environments where Horilla HRM is critical to HR operations.

1. Immediate mitigation should focus on restricting admin and privileged user access to trusted personnel only, enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Implement strict input validation and output encoding at the application or web server level as a temporary measure to neutralize malicious scripts, for example, using web application firewalls (WAFs) with custom rules targeting the vulnerable input fields. 3. Monitor logs and user activities for unusual behavior indicative of XSS exploitation attempts or session hijacking. 4. Limit the number of users with admin or privileged roles and regularly review permissions to minimize exposure. 5. Consider isolating the HRM system within a segmented network zone with restricted access to reduce lateral movement risk. 6. Stay alert for vendor updates or community patches addressing this vulnerability and plan for timely application once available. 7. Educate privileged users about the risks of clicking on suspicious links or viewing untrusted content within the HRM interface. 8. If feasible, upgrade to a non-vulnerable version or alternative HRM solutions until a patch is released.