CVE-2025-60933 – This CVE describes stored XSS vulnerabilities i... (How to Fix)

Q: What is the severity of CVE-2025-60933?

CVE-2025-60933 has a CVSS score of 6.1 (MEDIUM). This CVE describes stored XSS vulnerabilities in HR Performance Solutions Performance Pro v3.19.17 that allow attackers to inject malicious scripts into multiple fields in the Future Goals function. When other users view these compromised goals, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. Organizations using Performance Pro v3.19.17 or earlier versions are affected.

📋 TL;DR

This CVE describes stored XSS vulnerabilities in HR Performance Solutions Performance Pro v3.19.17 that allow attackers to inject malicious scripts into multiple fields in the Future Goals function. When other users view these compromised goals, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. Organizations using Performance Pro v3.19.17 or earlier versions are affected.

💻 Affected Systems

Products:

HR Performance Solutions Performance Pro

Versions: v3.19.17 and earlier versions

Operating Systems: Windows, Linux, Any OS running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the web interface of Performance Pro regardless of underlying OS. All installations with the vulnerable version are affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain full system access, pivot to internal systems, and compromise sensitive HR data including employee performance reviews and personal information.

🟠

Likely Case

Attackers with user-level access could inject malicious scripts that execute when other users view goals, potentially stealing their session cookies to impersonate them or performing unauthorized actions on their behalf.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code, preventing exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access to create/modify goals. The attacker needs at least user-level credentials to inject payloads into the vulnerable fields.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PP-Release-6.3.2.0

Vendor Advisory: https://docs.offsecguy.com/cve/hr-performance-solutions/vulnerability/reflected-xss-future-goals

Restart Required: No

Instructions:

1. Download PP-Release-6.3.2.0 from vendor portal. 2. Backup current installation and database. 3. Apply the update following vendor instructions. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize HTML/script tags in Goal Name, Goal Notes, Action Step Name, Action Step Description, Note Name, and Goal Description fields

Content Security Policy

all

Implement strict Content Security Policy headers to prevent execution of inline scripts and restrict script sources

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in the vulnerable parameters
Disable or restrict access to the Future Goals function for non-essential users

🔍 How to Verify

Check if Vulnerable:

Check application version in admin panel or configuration files. If version is v3.19.17 or earlier, the system is vulnerable.

Check Version:

Check admin dashboard or application configuration file for version information

Verify Fix Applied:

After patching, verify version shows PP-Release-6.3.2.0. Test by attempting to inject basic XSS payloads into the vulnerable fields and confirm they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual length or content in Goal/Note fields
Multiple rapid modifications to goal entries
User accounts accessing/modifying many goals

Network Indicators:

HTTP requests containing script tags or JavaScript in vulnerable parameter names
Unusual outbound connections from user browsers after viewing goals

SIEM Query:

source="web_logs" AND (uri="*/future-goals*" OR uri="*/goal*" OR uri="*/note*") AND (param="Goal Name" OR param="Goal Notes" OR param="Action Step Name" OR param="Action Step Description" OR param="Note Name" OR param="Goal Description") AND (content="<script>" OR content="javascript:" OR content="onerror=" OR content="onload=")

📊 Metadata

CVE ID: CVE-2025-60933

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.8th percentile)

Published: October 21, 2025

Last Updated: October 21, 2025

🔗 References

https://docs.offsecguy.com/cve/hr-performance-solutions/vulnerability/reflected-xss-future-goals

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60933, you might also want to check these: