平台
php
组件
worksuite-hr-crm-and-project-management
修复版本
5.5.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.7
5.5.8
5.5.9
5.5.10
5.5.11
5.5.12
5.5.13
5.5.14
5.5.15
5.5.16
5.5.17
5.5.18
5.5.19
5.5.20
5.5.21
5.5.22
5.5.23
5.5.24
5.5.25
5.5.26
CVE-2026-4165 describes a cross-site scripting (XSS) vulnerability affecting Worksuite HR, CRM and Project Management versions 5.5.0 through 5.5.25. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. The vulnerability stems from improper handling of user input within the /account/orders/create endpoint, specifically the 'Client Note' parameter. A patch is available to address this issue.
Successful exploitation of CVE-2026-4165 allows an attacker to inject arbitrary JavaScript code into the Worksuite HR, CRM and Project Management application. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the application's user interface, and theft of sensitive user data such as login credentials, personal information, and financial details. The attacker could potentially gain unauthorized access to user accounts and perform actions on their behalf. Given the nature of HR, CRM, and project management systems, the data at risk includes highly confidential employee records, customer data, and project-related information, making this a significant concern for organizations using this software.
CVE-2026-4165 has been publicly disclosed, increasing the risk of exploitation. No KEV listing or EPSS score is currently available. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's nature and public disclosure. The vulnerability was published on 2026-03-15.
Organizations utilizing Worksuite HR, CRM and Project Management versions 5.5.0 through 5.5.25 are at risk. This includes businesses of all sizes that rely on this software for managing human resources, customer relationships, and project workflows. Shared hosting environments where multiple users share the same instance of the software are particularly vulnerable, as an attacker could potentially compromise the entire environment through a single vulnerable application.
• generic web:
curl -s -X POST "http://<target>/account/orders/create" -d "Client Note=<script>alert('XSS')</script>" | grep "alert('XSS')"• generic web:
curl -s -X GET "http://<target>/account/orders/create?Client Note=<script>alert('XSS')</script>" | grep "alert('XSS')"disclosure
漏洞利用状态
EPSS
0.03% (8% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-4165 is to upgrade Worksuite HR, CRM and Project Management to a version that includes the security patch. Until an upgrade is possible, consider implementing input validation and sanitization on the 'Client Note' field to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can provide an additional layer of protection. Regularly review application logs for suspicious activity, particularly requests to the /account/orders/create endpoint with unusual parameters. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Client Note field and verifying that it is properly sanitized.
将 Worksuite HR, CRM 和项目管理更新到 5.5.25 之后的版本。这将修复受影响组件中的跨站脚本漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4165 is a cross-site scripting (XSS) vulnerability in Worksuite HR, CRM and Project Management versions 5.5.0–5.5.25, allowing attackers to inject malicious scripts.
You are affected if you are using Worksuite HR, CRM and Project Management versions 5.5.0 through 5.5.25.
Upgrade to a patched version of Worksuite HR, CRM and Project Management. Implement input validation as a temporary workaround.
CVE-2026-4165 has been publicly disclosed, increasing the likelihood of exploitation. Active exploitation has not been confirmed.
Refer to the Worksuite HR, CRM and Project Management official website or security advisory channels for the latest information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。