Description
A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-03-15
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting attacker could inject malicious script via the Client Note field
Action: Patch
AI Analysis

Impact

A vulnerability exists in Worksuite HR, CRM and Project Management, affecting an unknown function within the /account/orders/create file. Manipulating the argument Client Note allows the attacker to inject arbitrary JavaScript, creating a cross‑site scripting (XSS) flaw. The weakness, identified as CWE‑79, could enable a remote attacker to execute code in the context of authenticated users, potentially leading to session hijacking, data theft, or defacement. The vulnerability is specified to be exploitable from a remote location, indicating that an unauthenticated user can trigger it by sending crafted input to the affected endpoint.

Affected Systems

Worksuite HR, CRM and Project Management products up to version 5.5.25 are vulnerable. The affected version information is explicitly stated as "up to 5.5.25"; no later versions have been reported to contain the issue.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The EPSS score is below 1%, suggesting a low likelihood of current exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. While the attack vector is remote, the description implies that exploitation requires crafting a payload delivered via the Client Note field. No public exploit code is yet documented, but the flaw has been disclosed and may be used once patched or mitigated.

Generated by OpenCVE AI on March 17, 2026 at 17:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the version of Worksuite HR, CRM and Project Management; if it is 5.5.25 or older, you must upgrade to a newer, patched release.
  • If a patch is not yet available, contact Worksuite support for guidance on applying a temporary fix or request a security patch.
  • Consider disabling or restricting the Client Note input for the /account/orders/create endpoint until a patch can be applied.
  • Implement an input‑validation filter or a web‑application firewall rule that blocks or sanitizes scripts submitted through the Client Note field as an interim measure.

Generated by OpenCVE AI on March 17, 2026 at 17:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Worksuite
Worksuite hr, Crm And Project Management
Vendors & Products Worksuite
Worksuite hr, Crm And Project Management

Sun, 15 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Title Worksuite HR, CRM and Project Management create cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Worksuite Hr, Crm And Project Management
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-17T13:45:03.502Z

Reserved: 2026-03-14T12:27:21.982Z

Link: CVE-2026-4165

cve-icon Vulnrichment

Updated: 2026-03-17T13:44:58.137Z

cve-icon NVD

Status : Deferred

Published: 2026-03-16T14:19:55.620

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-4165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:02:03Z

Weaknesses