CVE-2025-40643
📋 TL;DR
A stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 allows attackers to inject malicious scripts via the 'JobCreatedBy' parameter in POST requests to '/crm/create_job_submit.php'. This could enable session cookie theft from authenticated users. Organizations using Energy CRM v2025 by Status Tracker Ltd are affected.
💻 Affected Systems
- Energy CRM
📦 What is this software?
Energy Crm by Energycrm
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the CRM system, and potentially compromise sensitive customer data or business operations.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access their CRM data, and perform unauthorized actions within their permission scope.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing session theft.
🎯 Exploit Status
Exploitation requires the attacker to have access to create jobs (or trick users into doing so) and victims to view the malicious content. The CVSS score of 5.4 reflects medium attack complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-energy-crm-status-tracker
Restart Required: No
Instructions:
1. Contact Status Tracker Ltd for the official patch. 2. Apply the patch to your Energy CRM installation. 3. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side validation of the JobCreatedBy parameter to reject malicious input and encode output to prevent script execution.
Modify /crm/create_job_submit.php to sanitize user input using functions like htmlspecialchars() or implement a Content Security Policy (CSP).
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious requests.
- Restrict access to the CRM to trusted IP addresses only and monitor for unusual activity.
🔍 How to Verify
Check if Vulnerable:
Test by submitting a POST request to /crm/create_job_submit.php with a script payload in the JobCreatedBy parameter (e.g., <script>alert('XSS')</script>) and check if it executes when viewed.Check Version:
Check the CRM interface or configuration files for version information; typically found in admin panels or version files.Verify Fix Applied:
After patching, repeat the test; the script should be sanitized or blocked, and no alert should appear.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /crm/create_job_submit.php with script-like content in parameters
- Multiple failed login attempts or session hijacking alerts
Network Indicators:
- Traffic to /crm/create_job_submit.php containing <script> tags or JavaScript in POST data
SIEM Query:
source="web_logs" AND uri="/crm/create_job_submit.php" AND (post_data CONTAINS "<script>" OR post_data CONTAINS "javascript:")