CVE-2025-40975
Stored XSS in WorkDo HRMGo Ticket Reply Allows Code Injection
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| workdo | hrmgo | * |
| workdo | ticketgo | * |
| workdo | ecommercego_saas | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-40975 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo product. It occurs because the application does not properly validate user input in the 'description' parameter when a POST request is sent to the '/hrmgo/ticket/changereply' endpoint. This allows an attacker to inject malicious scripts that are stored and later executed in the context of other users' browsers. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the browsers of users who view the affected content. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the user, potentially compromising user data and system integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves sending a crafted POST request to the endpoint '/hrmgo/ticket/changereply' with a malicious payload in the 'description' parameter to check if the input is improperly validated and results in stored XSS. For example, using curl to send a test payload: curl -X POST -d "description=<script>alert('XSS')</script>" https://<target-domain>/hrmgo/ticket/changereply and then verifying if the script executes when viewing the affected page. Monitoring web application logs for suspicious POST requests to this endpoint with unusual input can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
As no official patches or solutions have been reported yet, immediate mitigation steps include implementing input validation and sanitization on the 'description' parameter at the application level to prevent malicious scripts from being stored. Additionally, applying web application firewall (WAF) rules to block or sanitize suspicious POST requests to '/hrmgo/ticket/changereply' can help reduce risk. Limiting user privileges to reduce the impact of exploitation and monitoring for suspicious activity are also recommended. [1]