CVE-2025-15562 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting NesterSoft Inc.'s WorkTime product, versions up to and including 11.8.8, deployed both on-premises and in cloud environments. The vulnerability exists in the server API endpoint /report/internet/urls, which improperly handles user input by reflecting it directly into the HTML response without adequate sanitization or encoding. This improper neutralization of input allows attackers to inject arbitrary JavaScript code that executes in the context of the victim’s browser when the victim accesses a specially crafted URL. The vulnerability does not require authentication or elevated privileges, but exploitation depends on social engineering to convince a user to open the malicious link. The CVSS v3.1 base score is 6.1, indicating a medium severity level, with an attack vector of network, low attack complexity, no privileges required, user interaction required, and a scope change. The impact affects confidentiality and integrity but not availability. No known public exploits or patches are available at the time of publication, increasing the urgency for organizations to implement mitigations proactively. The vulnerability could be leveraged to steal session cookies, perform actions on behalf of the user, or conduct phishing attacks by manipulating the user interface.

The primary impact of this vulnerability is on the confidentiality and integrity of user data within affected WorkTime deployments. Successful exploitation can lead to theft of session tokens, enabling attackers to impersonate users and access sensitive information or perform unauthorized actions. It can also facilitate phishing attacks by injecting malicious scripts that alter the user interface or redirect users to malicious sites. While availability is not directly impacted, the compromise of user accounts or data integrity can have significant operational and reputational consequences. Organizations relying on WorkTime for employee monitoring or productivity tracking may face data breaches or loss of trust. Since the vulnerability affects both on-premises and cloud deployments, a wide range of organizations across industries using this product are at risk. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with high user exposure to external links.

To mitigate this vulnerability, organizations should immediately implement strict input validation and output encoding on the /report/internet/urls endpoint to ensure that any user-supplied data is properly sanitized before being reflected in HTML responses. Employing a robust web application firewall (WAF) with rules to detect and block XSS payloads targeting this endpoint can provide a temporary protective layer. Security teams should educate users about the risks of clicking on unsolicited or suspicious URLs, especially those related to WorkTime reports. Monitoring logs for unusual requests to the vulnerable endpoint can help detect attempted exploitation. Organizations should also engage with NesterSoft Inc. for updates or patches and plan for timely application once available. Additionally, implementing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Regular security assessments and penetration testing focusing on this endpoint are recommended to verify the effectiveness of mitigations.