CVE-2025-40975

Vulnerability

Overview

CVE-2025-40975 is a stored cross-site scripting (XSS) vulnerability found in WorkDo's HRMGo application. The root cause is a lack of proper validation of user input when processing the 'description' parameter in a POST request to the endpoint /hrmgo/ticket/changereply [1]. This allows an attacker to inject malicious scripts that are stored on the server and later executed in the context of other users' browser.

Exploitation

An attacker must be authenticated to the HRMGo application and have the ability to send a crafted POST request to the vulnerable endpoint. The attack does not require any special network position beyond access to the application's web interface [1]. The stored script will be executed when a victim views the affected ticket reply, making this a typical stored XSS scenario.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information displayed within the application. The CVSS v4.0 base score is 5.1 (Medium), with the vector AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N, indicating low impact on confidentiality, integrity, and availability, but with some scope change [1].

Mitigation

As of the publication date, no official patch or workaround has been reported by the vendor [1]. Organizations using WorkDo HRMGo should monitor vendor channels for updates and consider implementing web application firewall rules or input sanitization as interim measures.