FKIE_CVE-2026-24039

Vulnerability from fkie_nvd - Published: 2026-01-22 04:16 - Updated: 2026-01-29 18:47
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0.
References
security-advisories@github.comhttps://github.com/horilla-opensource/horilla/releases/tag/1.5.0Release Notes
security-advisories@github.comhttps://github.com/horilla-opensource/horilla/security/advisories/GHSA-99mq-mhwv-w9qxExploit, Vendor Advisory
Impacted products
Vendor Product Version
horilla horilla 1.4.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:horilla:horilla:1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "55143854-C369-4CAA-B671-90EFC9170F64",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0."
    },
    {
      "lang": "es",
      "value": "Horilla es un Sistema de Gesti\u00f3n de Recursos Humanos (HRMS) gratuito y de c\u00f3digo abierto. La versi\u00f3n 1.4.0 tiene un Control de Acceso Inadecuado, permitiendo a empleados con pocos privilegios autoaprobar documentos que han subido. La interfaz de usuario (UI) de aprobaci\u00f3n de documentos est\u00e1 destinada a ser restringida solo a roles de administrador o de grandes privilegios; sin embargo, una verificaci\u00f3n de autorizaci\u00f3n insuficiente del lado del servidor en el endpoint de aprobaci\u00f3n permite a un empleado est\u00e1ndar modificar el estado de aprobaci\u00f3n de su propio documento subido. Si se explota con \u00e9xito, usuarios con permisos solo de nivel de empleado pueden alterar el estado de la aplicaci\u00f3n reservado para administradores. Esto socava la integridad de los procesos de RRHH (por ejemplo, la aceptaci\u00f3n de credenciales, certificaciones o materiales de apoyo), y puede permitir la presentaci\u00f3n de documentos no verificados. Este problema est\u00e1 solucionado en la versi\u00f3n 1.5.0."
    }
  ],
  "id": "CVE-2026-24039",
  "lastModified": "2026-01-29T18:47:30.633",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-22T04:16:00.033",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-99mq-mhwv-w9qx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.