Horilla Exposes Unpublished Job Disclosures through Unauthenticated API

Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

访问控制不恰当

Horilla 访问控制错误漏洞

Horilla是Horilla公司的一款免费的开源人力资源软件。 Horilla 1.4.0及之后版本存在访问控制错误漏洞，该漏洞源于未经验证即可访问未发布的招聘信息，可能导致敏感内部招聘信息泄露。

N/A

N/A