Plattform
php
Komponente
aureuserp/aureuserp
Behoben in
1.3.0-BETA1
1.3.0-BETA1
CVE-2026-4175 describes a Cross-Site Scripting (XSS) vulnerability discovered in Aureus ERP versions up to 1.2.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the Chatter Message Handler component, specifically in the file plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php. A fix is available in version 1.3.0-BETA1.
Successful exploitation of CVE-2026-4175 could allow an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to various malicious actions, including stealing user credentials, redirecting users to phishing sites, or defacing the application's interface. The impact is amplified if the application handles sensitive data or is integrated with other critical systems. While the CVSS score is LOW, the potential for user compromise and data exfiltration remains a significant concern, especially in environments where user awareness is low or security controls are inadequate. The remote nature of the attack makes it easily exploitable.
CVE-2026-4175 was publicly disclosed on 2026-03-16. No public proof-of-concept (PoC) code has been identified at the time of writing, but the relatively straightforward nature of XSS vulnerabilities suggests that a PoC could emerge quickly. The EPSS score is pending evaluation. Monitor security advisories and vulnerability databases for updates and potential exploitation attempts.
Organizations using Aureus ERP versions 1.2.0 and earlier, particularly those with a significant user base or that handle sensitive data within the application, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a successful attack could potentially compromise other users on the same server.
• php: Examine the plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php file for any modifications or suspicious code.
find /var/www/html/plugins/webkul/chatter/resources/views/filament/infolists/components/messages/ -name 'content-text-entry.blade.php' -print0 | xargs -0 grep -i 'script src='• generic web: Monitor access logs for unusual requests containing JavaScript code in the subject or body parameters.
grep -i 'script src=' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4175 is to upgrade Aureus ERP to version 1.3.0-BETA1 or later, which contains the necessary patch (2135ee7efff4090e70050b63015ab5e268760ec8). If an immediate upgrade is not feasible, consider implementing input validation and output encoding on the subject and body fields within the Chatter Message Handler component. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies to ensure they address XSS vulnerabilities effectively. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the message subject or body and verifying that it is properly sanitized.
Aktualisieren Sie Aureus ERP auf Version 1.3.0-BETA1 oder höher. Dieses Update behebt die Cross-Site Scripting (XSS)-Schwachstelle im Component Chatter Message Handler. Das Update enthält den Patch 2135ee7efff4090e70050b63015ab5e268760ec8.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4175 is a Cross-Site Scripting (XSS) vulnerability affecting Aureus ERP versions up to 1.2.0, allowing attackers to inject malicious scripts.
You are affected if you are using Aureus ERP versions 1.2.0 or earlier. Upgrade to 1.3.0-BETA1 to mitigate the risk.
Upgrade Aureus ERP to version 1.3.0-BETA1. Implement input validation and output encoding as a temporary workaround if immediate upgrade is not possible.
No active exploitation has been confirmed at this time, but the vulnerability's nature suggests potential for exploitation.
Refer to the Aureus ERP official website or security advisories for the latest information and updates regarding CVE-2026-4175.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.