CVE-2025-51989 is an HTML injection vulnerability identified in the registration interface of the HRmaster module developed by Evolution Consulting Kft. Specifically, the vulnerability exists in the "keresztnév" (firstname) input field. An attacker can inject arbitrary HTML tags into this field during the registration process. The injected HTML content is then included in an email sent out by the system. Because this email can be sent to any email address, including those not previously registered, the vulnerability opens the door to phishing attacks. The attacker could craft malicious HTML content that appears legitimate within the email, potentially tricking recipients into clicking malicious links or executing unintended actions. This vulnerability is classified under CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page), indicating that the application fails to properly sanitize user input before embedding it in HTML content. The CVSS v3.1 base score is 7.0, indicating a high severity level. The vector string (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L) shows that the attack is network exploitable without privileges or user interaction, but requires high attack complexity. The impact on confidentiality is high due to the potential for phishing and credential theft, while integrity and availability impacts are low. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on August 21, 2025, with the reservation date of June 16, 2025.

For European organizations using the Evolution Consulting Kft. HRmaster module, this vulnerability poses a significant risk. The ability to inject HTML into emails sent by the system can facilitate sophisticated phishing campaigns targeting employees, partners, or clients. Since the emails can be sent to any address, attackers can impersonate the organization to external parties, potentially leading to credential theft, unauthorized access, or further malware infections. This can result in data breaches, financial loss, reputational damage, and regulatory penalties under GDPR if personal data is compromised. The phishing vector is particularly concerning in sectors with sensitive HR data, such as finance, healthcare, and government institutions. The high confidentiality impact means sensitive information could be exposed or harvested. The low integrity and availability impact suggest the vulnerability is less likely to directly alter data or disrupt services but can serve as an entry point for broader attacks. The lack of required user interaction lowers the barrier for exploitation, although the high attack complexity means exploitation may require specific conditions or skills.

1. Immediate input validation and sanitization: Implement strict server-side validation on the "keresztnév" field to neutralize or remove HTML tags and scripts before processing or including them in emails. 2. Contextual output encoding: Ensure that any user-supplied data included in emails is properly encoded for HTML contexts to prevent injection. 3. Email content hardening: Use plain-text emails or sanitize HTML email templates to avoid rendering injected HTML content. 4. Implement Content Security Policy (CSP) headers for web interfaces to reduce the impact of injected scripts if applicable. 5. Monitor outgoing emails for suspicious content patterns indicative of injection attempts. 6. Educate users and recipients to recognize phishing emails and report suspicious messages. 7. Coordinate with Evolution Consulting Kft. to obtain patches or updates addressing this vulnerability as soon as they become available. 8. Employ email authentication mechanisms such as SPF, DKIM, and DMARC to reduce phishing success rates. 9. Restrict registration attempts and implement CAPTCHA or other bot mitigation to reduce automated exploitation attempts. 10. Conduct regular security assessments and penetration tests focusing on input validation and email generation components.