CVE-2025-40646
📋 TL;DR
A stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 allows attackers to inject malicious scripts via the JobCreatedBy parameter in POST requests to /crm/create_job_submit.php. This could enable session cookie theft when authenticated users view the malicious content. All users of Energy CRM v2025 by Status Tracker Ltd are affected.
💻 Affected Systems
- Energy CRM
📦 What is this software?
Energy Crm by Energycrm
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full system access, compromise sensitive customer data, and potentially pivot to internal networks.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access CRM data, and perform unauthorized actions within the application.
If Mitigated
With proper input validation and output encoding, the attack would fail, preventing script execution and maintaining session integrity.
🎯 Exploit Status
Exploitation requires sending POST requests with malicious payloads but needs user interaction (viewing malicious content).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-energy-crm-status-tracker
Restart Required: No
Instructions:
1. Monitor vendor for patch release. 2. Apply patch when available. 3. Test in non-production environment first.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize JobCreatedBy parameter input.
Modify create_job_submit.php to filter/escape special characters before processing.
Web Application Firewall Rule
allBlock malicious XSS payloads in POST requests to vulnerable endpoint.
WAF rule: Block requests containing <script> tags or javascript: in JobCreatedBy parameter.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution.
- Use HTTP-only and Secure flags for session cookies to limit cookie theft impact.
🔍 How to Verify
Check if Vulnerable:
Test by sending POST request to /crm/create_job_submit.php with JobCreatedBy parameter containing <script>alert('XSS')</script> and check if script executes when viewed.Check Version:
Check CRM interface or configuration files for version information.Verify Fix Applied:
Repeat vulnerability test after fixes; script should not execute and input should be properly sanitized.📡 Detection & Monitoring
Log Indicators:
- POST requests to /crm/create_job_submit.php with suspicious characters in JobCreatedBy parameter.
- Unusual script tags or JavaScript patterns in application logs.
Network Indicators:
- HTTP POST traffic to vulnerable endpoint with XSS payload patterns.
SIEM Query:
source="web_logs" AND uri_path="/crm/create_job_submit.php" AND (JobCreatedBy CONTAINS "<script>" OR JobCreatedBy CONTAINS "javascript:")