Plattform
php
Komponente
worksuite-hr-crm-and-project-management
Behoben in
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.5.17
5.5.18
5.5.19
5.5.20
5.5.21
5.5.22
5.5.23
5.5.24
5.5.25
5.5.26
CVE-2026-4165 describes a cross-site scripting (XSS) vulnerability affecting Worksuite HR, CRM and Project Management versions 5.5.0 through 5.5.25. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. The vulnerability stems from improper handling of user input within the /account/orders/create endpoint, specifically the 'Client Note' parameter. A patch is available to address this issue.
Successful exploitation of CVE-2026-4165 allows an attacker to inject arbitrary JavaScript code into the Worksuite HR, CRM and Project Management application. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the application's user interface, and theft of sensitive user data such as login credentials, personal information, and financial details. The attacker could potentially gain unauthorized access to user accounts and perform actions on their behalf. Given the nature of HR, CRM, and project management systems, the data at risk includes highly confidential employee records, customer data, and project-related information, making this a significant concern for organizations using this software.
CVE-2026-4165 has been publicly disclosed, increasing the risk of exploitation. No KEV listing or EPSS score is currently available. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's nature and public disclosure. The vulnerability was published on 2026-03-15.
Organizations utilizing Worksuite HR, CRM and Project Management versions 5.5.0 through 5.5.25 are at risk. This includes businesses of all sizes that rely on this software for managing human resources, customer relationships, and project workflows. Shared hosting environments where multiple users share the same instance of the software are particularly vulnerable, as an attacker could potentially compromise the entire environment through a single vulnerable application.
• generic web:
curl -s -X POST "http://<target>/account/orders/create" -d "Client Note=<script>alert('XSS')</script>" | grep "alert('XSS')"• generic web:
curl -s -X GET "http://<target>/account/orders/create?Client Note=<script>alert('XSS')</script>" | grep "alert('XSS')"disclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4165 is to upgrade Worksuite HR, CRM and Project Management to a version that includes the security patch. Until an upgrade is possible, consider implementing input validation and sanitization on the 'Client Note' field to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can provide an additional layer of protection. Regularly review application logs for suspicious activity, particularly requests to the /account/orders/create endpoint with unusual parameters. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Client Note field and verifying that it is properly sanitized.
Aktualisieren Sie Worksuite HR, CRM und Project Management auf eine Version nach 5.5.25. Dies behebt die cross-site scripting Vulnerability im betroffenen Komponenten.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4165 is a cross-site scripting (XSS) vulnerability in Worksuite HR, CRM and Project Management versions 5.5.0–5.5.25, allowing attackers to inject malicious scripts.
You are affected if you are using Worksuite HR, CRM and Project Management versions 5.5.0 through 5.5.25.
Upgrade to a patched version of Worksuite HR, CRM and Project Management. Implement input validation as a temporary workaround.
CVE-2026-4165 has been publicly disclosed, increasing the likelihood of exploitation. Active exploitation has not been confirmed.
Refer to the Worksuite HR, CRM and Project Management official website or security advisory channels for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.