CVE-2025-40640
📋 TL;DR
A stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 allows attackers to inject malicious scripts via the customerName_0 parameter in POST requests to /crm/create_invoice_submit.php. This could enable session cookie theft when authenticated users view compromised pages. Organizations using Energy CRM v2025 by Status Tracker Ltd are affected.
💻 Affected Systems
- Energy CRM
📦 What is this software?
Energy Crm by Energycrm
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system access, compromise customer data, and potentially pivot to internal networks.
Likely Case
Attackers steal user session cookies to impersonate authenticated users, access CRM data, and perform unauthorized actions.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing exploitation.
🎯 Exploit Status
Exploitation requires sending POST requests to the vulnerable endpoint, but attackers need to lure authenticated users to view malicious content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for patched version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-energy-crm-status-tracker
Restart Required: No
Instructions:
1. Check vendor advisory for patch details. 2. Apply the security patch provided by Status Tracker Ltd. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and sanitization of the customerName_0 parameter to strip or encode malicious scripts.
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block requests containing XSS payloads in the customerName_0 parameter.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources.
- Disable or restrict access to the /crm/create_invoice_submit.php endpoint if not essential.
🔍 How to Verify
Check if Vulnerable:
Test by sending a POST request to /crm/create_invoice_submit.php with a simple XSS payload in the customerName_0 parameter (e.g., <script>alert('test')</script>) and check if it's stored and executed.Check Version:
Check the CRM interface or configuration files for version information; specific command depends on deployment.Verify Fix Applied:
Repeat the vulnerability test after patching; the payload should be sanitized or blocked, and no script execution should occur.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /crm/create_invoice_submit.php with script-like content in parameters.
- Log entries showing stored content with HTML/script tags in customer data.
Network Indicators:
- HTTP POST traffic to the vulnerable endpoint containing XSS patterns in payloads.
SIEM Query:
source="web_logs" AND uri="/crm/create_invoice_submit.php" AND (param="customerName_0" AND value MATCHES "<script.*>")