LOWCVE-2026-4165CVSS 2.4

Worksuite HR, CRM 和项目管理存在跨站脚本漏洞

平台

php

组件

worksuite-hr-crm-and-project-management

修复版本

5.5.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.7

5.5.8

5.5.9

5.5.10

5.5.11

5.5.12

5.5.13

5.5.14

5.5.15

5.5.16

5.5.17

5.5.18

5.5.19

5.5.20

5.5.21

5.5.22

5.5.23

5.5.24

5.5.25

5.5.26

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-4165 describes a cross-site scripting (XSS) vulnerability affecting Worksuite HR, CRM and Project Management versions 5.5.0 through 5.5.25. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. The vulnerability stems from improper handling of user input within the /account/orders/create endpoint, specifically the 'Client Note' parameter. A patch is available to address this issue.

影响与攻击场景翻译中…

Successful exploitation of CVE-2026-4165 allows an attacker to inject arbitrary JavaScript code into the Worksuite HR, CRM and Project Management application. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the application's user interface, and theft of sensitive user data such as login credentials, personal information, and financial details. The attacker could potentially gain unauthorized access to user accounts and perform actions on their behalf. Given the nature of HR, CRM, and project management systems, the data at risk includes highly confidential employee records, customer data, and project-related information, making this a significant concern for organizations using this software.

利用背景翻译中…

CVE-2026-4165 has been publicly disclosed, increasing the risk of exploitation. No KEV listing or EPSS score is currently available. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's nature and public disclosure. The vulnerability was published on 2026-03-15.

哪些人处于风险中翻译中…

Organizations utilizing Worksuite HR, CRM and Project Management versions 5.5.0 through 5.5.25 are at risk. This includes businesses of all sizes that rely on this software for managing human resources, customer relationships, and project workflows. Shared hosting environments where multiple users share the same instance of the software are particularly vulnerable, as an attacker could potentially compromise the entire environment through a single vulnerable application.

检测步骤翻译中…

• generic web:

curl -s -X POST "http://<target>/account/orders/create" -d "Client Note=<script>alert('XSS')</script>" | grep "alert('XSS')"

• generic web:

curl -s -X GET "http://<target>/account/orders/create?Client Note=<script>alert('XSS')</script>" | grep "alert('XSS')"

攻击时间线

2026-03-15Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.03% (8% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 高 — 需要管理员或特权账户。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 无 — 无机密性影响。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 无 — 无可用性影响。

受影响的软件

组件worksuite-hr-crm-and-project-management

供应商Worksuite

影响范围修复版本

5.5.0 – 5.5.05.5.1

5.5.1 – 5.5.15.5.2

5.5.2 – 5.5.25.5.3

5.5.3 – 5.5.35.5.4

5.5.4 – 5.5.45.5.5

5.5.5 – 5.5.55.5.6

5.5.6 – 5.5.65.5.7

5.5.7 – 5.5.75.5.8

5.5.8 – 5.5.85.5.9

5.5.9 – 5.5.95.5.10

5.5.10 – 5.5.105.5.11

5.5.11 – 5.5.115.5.12

5.5.12 – 5.5.125.5.13

5.5.13 – 5.5.135.5.14

5.5.14 – 5.5.145.5.15

5.5.15 – 5.5.155.5.16

5.5.16 – 5.5.165.5.17

5.5.17 – 5.5.175.5.18

5.5.18 – 5.5.185.5.19

5.5.19 – 5.5.195.5.20

5.5.20 – 5.5.205.5.21

5.5.21 – 5.5.215.5.22

5.5.22 – 5.5.225.5.23

5.5.23 – 5.5.235.5.24

5.5.24 – 5.5.245.5.25

5.5.25 – 5.5.255.5.26

弱点分类 (CWE)

CWE-79 CWE-94

时间线

已保留2026-03-14
发布日期2026-03-15
修改日期2026-03-17
EPSS 更新日期2026-03-23

未修复 — 披露已70天

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-4165 is to upgrade Worksuite HR, CRM and Project Management to a version that includes the security patch. Until an upgrade is possible, consider implementing input validation and sanitization on the 'Client Note' field to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can provide an additional layer of protection. Regularly review application logs for suspicious activity, particularly requests to the /account/orders/create endpoint with unusual parameters. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Client Note field and verifying that it is properly sanitized.

修复方法

将 Worksuite HR, CRM 和项目管理更新到 5.5.25 之后的版本。这将修复受影响组件中的跨站脚本漏洞。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-4165 — XSS in Worksuite HR, CRM and Project Management?

CVE-2026-4165 is a cross-site scripting (XSS) vulnerability in Worksuite HR, CRM and Project Management versions 5.5.0–5.5.25, allowing attackers to inject malicious scripts.

Am I affected by CVE-2026-4165 in Worksuite HR, CRM and Project Management?

You are affected if you are using Worksuite HR, CRM and Project Management versions 5.5.0 through 5.5.25.

How do I fix CVE-2026-4165 in Worksuite HR, CRM and Project Management?

Upgrade to a patched version of Worksuite HR, CRM and Project Management. Implement input validation as a temporary workaround.

Is CVE-2026-4165 being actively exploited?

CVE-2026-4165 has been publicly disclosed, increasing the likelihood of exploitation. Active exploitation has not been confirmed.

Where can I find the official Worksuite HR, CRM and Project Management advisory for CVE-2026-4165?

Refer to the Worksuite HR, CRM and Project Management official website or security advisory channels for the latest information.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE