Home

Description

A vulnerability was determined in Aureus ERP up to 1.3.0-BETA2. The affected element is an unknown function of the file plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php of the component Chatter Message Handler. Executing a manipulation of the argument subject/body can lead to cross site scripting. The attack can be launched remotely. Upgrading to version 1.3.0-BETA1 is sufficient to fix this issue. This patch is called 2135ee7efff4090e70050b63015ab5e268760ec8. It is suggested to upgrade the affected component.

PUBLISHED Reserved 2026-03-14 | Published 2026-03-15 | Updated 2026-03-17 | Assigner VulDB




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X
LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
LOW: 3.5CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
4.0AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:OF/RC:C

Problem types

Cross Site Scripting

Code Injection

Product status

1.3.0-BETA2
affected

1.3.0-BETA1
unaffected

Timeline

2026-03-14:Advisory disclosed
2026-03-14:VulDB entry created
2026-03-14:VulDB entry last update

Credits

kkc73 (VulDB User) reporter

References

vuldb.com/?id.351083 (VDB-351083 | Aureus ERP Chatter Message content-text-entry.blade.php cross site scripting) vdb-entry technical-description

vuldb.com/?ctiid.351083 (VDB-351083 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.769827 (Submit #769827 | aureuserp 51b975a Cross Site Scripting) third-party-advisory

github.com/aureuserp/aureuserp/pull/939 issue-tracking patch

github.com/...ommit/2135ee7efff4090e70050b63015ab5e268760ec8 patch

github.com/aureuserp/aureuserp/releases/tag/v1.3.0-BETA1 patch

cve.org (CVE-2026-4175)

nvd.nist.gov (CVE-2026-4175)

Download JSON