📄 Description (English)
Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking "Session Expired" message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker's server, enabling Account Takeover. Version 1.5.0 patches the issue.
🤖 AI Executive Summary
Horilla HRMS versions prior to 1.5.0 contain a critical file upload vulnerability allowing authenticated users to deploy credential-stealing phishing attacks. Attackers can upload malicious HTML files disguised as profile pictures, creating convincing login page replicas that capture user credentials for account takeover. With exploit code publicly available and affecting HR systems managing sensitive employee data across Saudi organizations, immediate patching to version 1.5.0 is critical.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 18:20
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Horilla HRMS face significant risk, particularly in banking sector (SAMA-regulated institutions managing employee records), government agencies (NCA oversight), healthcare organizations (managing clinical staff credentials), and large enterprises. The vulnerability enables credential theft of HR personnel with access to sensitive systems, potentially leading to lateral movement into financial systems, payroll manipulation, and unauthorized access to employee personal data subject to Saudi data protection regulations. Social engineering component increases success rate in Saudi business culture emphasizing trust-based communications.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Large Enterprises and Corporations
Education and Universities
🎯 MITRE ATT&CK Techniques
T1566.002 - Phishing: Spearphishing Link
T1598.003 - Gather Victim Identity Information: Spearphishing Link
T1187 - Forced Authentication
T1056.004 - Keylogging
T1110.001 - Brute Force: Password Guessing
T1078.001 - Valid Accounts: Default Accounts
T1199 - Trusted Relationship
T1566.001 - Phishing: Spearphishing Attachment
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Horilla HRMS instances in your environment and document current versions
2. Restrict file upload functionality to authenticated users only (already in place but verify)
3. Disable direct access to uploaded files via web browser - serve through download handler instead
4. Review uploaded files in the past 90 days for suspicious HTML/JavaScript content
PATCHING:
1. Upgrade all Horilla instances to version 1.5.0 or later immediately
2. Test patch in non-production environment first
3. Implement change management process for production deployment
COMPENSATING CONTROLS (if immediate patching delayed):
1. Implement file type validation - whitelist only image formats (JPG, PNG, GIF)
2. Rename uploaded files with random identifiers, removing original extensions
3. Store uploads outside web root or in protected directory with no execute permissions
4. Implement Content-Security-Policy headers to prevent inline script execution
5. Require re-authentication for sensitive operations (password changes, system access)
DETECTION:
1. Monitor file upload logs for HTML, HTM, JS, SVG file extensions
2. Alert on profile picture uploads larger than 5MB
3. Track access to uploaded profile pictures from non-HR IP ranges
4. Monitor for multiple failed login attempts followed by successful logins from different IPs
5. Search web logs for 'Session Expired' or similar phishing keywords in uploaded content
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ Horilla HRMS في بيئتك وتوثيق الإصدارات الحالية
2. تقييد وظيفة تحميل الملفات للمستخدمين المصرح لهم فقط (موجود بالفعل لكن تحقق)
3. تعطيل الوصول المباشر للملفات المحملة عبر متصفح الويب - قدمها من خلال معالج التنزيل بدلاً من ذلك
4. مراجعة الملفات المحملة في آخر 90 يوماً بحثاً عن محتوى HTML/JavaScript مريب
التصحيح:
1. ترقية جميع نسخ Horilla إلى الإصدار 1.5.0 أو أحدث فوراً
2. اختبار التصحيح في بيئة غير الإنتاج أولاً
3. تنفيذ عملية إدارة التغيير لنشر الإنتاج
الضوابط البديلة (إذا تأخر التصحيح الفوري):
1. تنفيذ التحقق من نوع الملف - قائمة بيضاء بصيغ الصور فقط (JPG, PNG, GIF)
2. إعادة تسمية الملفات المحملة بمعرفات عشوائية، مع إزالة الامتدادات الأصلية
3. تخزين التحميلات خارج جذر الويب أو في دليل محمي بدون أذونات التنفيذ
4. تنفيذ رؤوس Content-Security-Policy لمنع تنفيذ البرامج النصية المضمنة
5. طلب إعادة المصادقة للعمليات الحساسة (تغييرات كلمة المرور، الوصول إلى النظام)
الكشف:
1. مراقبة سجلات تحميل الملفات لامتدادات HTML, HTM, JS, SVG
2. تنبيه عند تحميل صور الملف الشخصي أكبر من 5MB
3. تتبع الوصول إلى صور الملف الشخصي المحملة من نطاقات IP غير HR
4. مراقبة محاولات تسجيل الدخول الفاشلة المتعددة متبوعة بعمليات تسجيل دخول ناجحة من عناوين IP مختلفة
5. البحث في سجلات الويب عن كلمات رئيسية تصيد احتيالي مثل 'انتهت الجلسة' في المحتوى المحمل
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.2 - Access Control and Authentication
A.7.1.1 - Cryptography and Data Protection
A.8.1.1 - Malware and Vulnerability Management
A.9.1.1 - Incident Response and Management
🔵 SAMA CSF
Governance - Security Policy and Risk Management
Protect - Access Control and Authentication
Protect - Data Protection and Privacy
Detect - Monitoring and Logging
Respond - Incident Response Procedures
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.6.1.2 - Access control
A.8.1.1 - Information security incident management
A.8.2.1 - Responsibilities and procedures
A.12.2.1 - Restrictions on information access and use
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards
Requirement 6.5.1 - Injection flaws
Requirement 6.5.8 - Improper access control
Requirement 8.1 - Unique user identification
📦 Affected Products / CPE 1 entries
horilla:horilla