CVE-2025-40976

Vulnerability

Overview

CVE-2025-40976 is a stored cross-site scripting (XSS) vulnerability in WorkDo's) vulnerability affecting WorkDo's TicketGo product. The root cause is a lack of proper validation of user input when sending a POST request to the endpoint /ticketgo-saas/home, specifically through the description parameter [1]. This allows an attacker to inject arbitrary web scripts or HTML that will be stored and later executed in the context of other users' browsers.

Exploitation

To exploit this vulnerability, an attacker must have a valid account with privileges to submit ticket descriptions (i.e., a low-privileged user). The attack is performed over the network (AV:N) with low attack complexity (AC:L) and requires user interaction (UI:P) from the victim [1]. The attacker sends a crafted POST request containing malicious script in the description parameter. When other users view the affected ticket, the stored script executes in their browser session.

Impact

Successful exploitation leads to a limited impact on confidentiality and integrity within the application's scope (SC:L, SI:L) [1]. The attacker can potentially steal session cookies, perform actions on behalf of the victim, or deface the application interface. The CVSS v4.0 base score is base score is 5.1 (Medium) [1].

Mitigation

As of the publication date, no official, no vendor-supplied patch or workaround has been reported [1]. Organizations using WorkDo TicketGo should monitor for updates from WorkDo and consider applying input validation and output encoding as a defensive measures until a fix is available.