Multiple vulnerabilities in Human Resource Management System

Posted date 29/07/2025
Identificador
INCIBE-2025-0409
Importance
4 - High
Affected Resources

Human Resource Management System, 1.0 version.

Description

INCIBE has coordinated the publication of 5 vulnerabilities, 1 of high severity and 4 of medium severity, affecting Human Resource Management System, a human resources management system. The vulnerabilities have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and the vulnerability CWE type for each vulnerability:

  • CVE-2025-40682: CVSS v4.0: 8.7 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
  • from CVE-2025-40683 to CVE-2025-40686: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution

No solution reported at this time.

Detail
  • CVE-2025-40682: SQL injection vulnerability in Human Resource Management System version 1.0, which allows an attacker to retrieve, create, update and delete databases via the “city” and “state” parameters in the /controller/ccity.php endpoint.
  • Reflected Cross-Site Scripting (XSS) in Human Resource Management System version 1.0. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL. The list of assigned parameters and identifiers is as follows:
    • CVE-2025-40683: 'searccity' parameter in /city.php.
    • CVE-2025-40684: 'searccountry' parameter in/country.php.
    • CVE-2025-40685: 'searcstate' parameter in/state.php.
    • CVE-2025-40686:  'employeeid' parameter in/detailview.php.
CVE
Explotación
No