Platform
go
Component
1
Fixed in
1.0.2
A problematic cross-site scripting (XSS) vulnerability has been identified in code-projects Human Resource Management System, affecting versions 1.0.0 through 1.0.1. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The issue resides within the UpdateRecruitmentById function of the \handler\recruitment.go file. A fix is available in version 1.0.2.
Successful exploitation of CVE-2025-2590 allows an attacker to inject arbitrary JavaScript code into the Human Resource Management System. This code can then be executed in the context of a victim's browser when they interact with the vulnerable application. The impact ranges from simple defacement of the application's interface to more severe consequences such as stealing user credentials, redirecting users to malicious websites, or even gaining control of the user's session. The attack is remotely exploitable, meaning an attacker does not need to be on the same network as the vulnerable system.
This vulnerability has been publicly disclosed, and a proof-of-concept may be available. The CVSS score of 2.4 indicates a low severity, suggesting that exploitation is relatively straightforward but the potential impact is limited. As of the publication date (2025-03-21), there are no reports of active exploitation campaigns targeting this vulnerability. It is advisable to prioritize patching to prevent potential future attacks.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2590 is to upgrade the Human Resource Management System to version 1.0.2 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on the UpdateRecruitmentById function to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Regularly review and update security policies and procedures to prevent similar vulnerabilities from arising in the future.
Update to a patched version of the human resource management system. Contact the vendor for a corrected version or implement input sanitization measures for the 'c' argument in the UpdateRecruitmentById function of the handler/recruitment.go file.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2590 is a cross-site scripting (XSS) vulnerability affecting Human Resource Management System versions 1.0.0–1.0.1. It allows attackers to inject malicious scripts via the UpdateRecruitmentById function.
You are affected if you are using Human Resource Management System versions 1.0.0 or 1.0.1. Upgrade to version 1.0.2 or later to mitigate the risk.
Upgrade to version 1.0.2 or later. As a temporary workaround, implement input validation and output encoding on the vulnerable function.
As of the publication date, there are no confirmed reports of active exploitation, but the vulnerability is publicly disclosed and a proof-of-concept may be available.
Refer to the code-projects official website or repository for the advisory related to CVE-2025-2590.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.