CVE-2026-4165
Cross-Site Scripting in Worksuite /account/orders/create Function
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| worksuite | hr_crm_and_project_management | to 5.5.25 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the order creation functionality, specifically the Client Note field in the /account/orders/create endpoint, for improper sanitization of input that allows injection of malicious scripts.
A practical detection method involves attempting to inject a known XSS payload such as <details open ontoggle=prompt(origin)> into the Client Note field while logged in as a user with order creation permissions, then observing if the payload executes when the order is viewed by an administrator.
There are no specific network commands provided, but manual testing or automated web application scanners that test for stored XSS vulnerabilities on the Client Note parameter at the /account/orders/create endpoint can be used.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include implementing strict input sanitization on the Client Note field to allow only safe characters or stripping all HTML tags if they are not required.'}, {'type': 'paragraph', 'content': 'Apply contextual output encoding to convert special characters into HTML entities to prevent script execution.'}, {'type': 'paragraph', 'content': "Enforce a robust Content Security Policy (CSP) that blocks inline scripts and event handlers, for example by disallowing 'unsafe-inline' scripts."}, {'type': 'paragraph', 'content': 'If possible, consider replacing the affected product with an alternative that is not vulnerable.'}] [1, 2]
Can you explain this vulnerability to me?
CVE-2026-4165 is a stored cross-site scripting (XSS) vulnerability found in Worksuite HR, CRM, and Project Management software versions up to 5.5.25. It exists in the order creation functionality at the endpoint /account/orders/create, specifically involving the Client Note parameter.
The vulnerability arises because user input in the Client Note field is not properly sanitized or encoded, allowing an attacker to inject malicious HTML5 and JavaScript code. When an administrator or other users view the order containing the malicious payload, the script executes automatically without requiring any interaction.
Exploitation requires the attacker to have order creation permissions and involves submitting a crafted payload that triggers JavaScript execution when viewed. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and corresponds to MITRE ATT&CK technique T1059.007.
How can this vulnerability impact me? :
This vulnerability can have several impacts including session hijacking, phishing, and unauthorized actions.
- Attackers can steal administrator cookies, allowing them to hijack sessions.
- Phishing attacks can be conducted by altering page content to deceive users.
- Attackers may perform unauthorized actions on behalf of victims, such as creating fake administrators or deleting data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know