CVE-2025-40989 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-40989?

CVE-2025-40989 has a CVSS score of 5.4 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in Ekushey CRM v5.0 allows attackers to inject malicious scripts via the 'message' parameter in project messages. This affects all users of the vulnerable version who can be tricked into viewing malicious content. Attackers could steal session cookies and potentially hijack authenticated user accounts.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in Ekushey CRM v5.0 allows attackers to inject malicious scripts via the 'message' parameter in project messages. This affects all users of the vulnerable version who can be tricked into viewing malicious content. Attackers could steal session cookies and potentially hijack authenticated user accounts.

💻 Affected Systems

Products:

Ekushey CRM

Versions: v5.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to the client/project_message functionality.

📦 What is this software?

Ekushey Project Manager Crm by Creativeitem

View all CVEs affecting Ekushey Project Manager Crm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover leading to data theft, privilege escalation, and further system compromise through authenticated user sessions.

🟠

Likely Case

Session hijacking allowing unauthorized access to CRM data and functionality, potentially leading to data exfiltration or manipulation.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting individual user sessions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but uses simple XSS payloads. Stored nature makes it persistent.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-creativeitem-products

Restart Required: No

Instructions:

1. Monitor vendor for patch release. 2. Apply patch when available. 3. Test in non-production environment first.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the 'message' parameter

Implement input sanitization in /ekushey/index.php/client/project_message/add/xxx endpoint

Content Security Policy

all

Implement strict CSP headers to prevent script execution from untrusted sources

Add 'Content-Security-Policy' header with script-src 'self'

🧯 If You Can't Patch

Disable or restrict access to the vulnerable endpoint (/client/project_message/add)
Implement web application firewall rules to block XSS payloads in the message parameter

🔍 How to Verify

Check if Vulnerable:

Test by submitting a simple XSS payload like <script>alert('test')</script> in the message parameter and checking if it executes when viewed.

Check Version:

Check CRM version in admin panel or configuration files

Verify Fix Applied:

Verify that XSS payloads are properly sanitized and do not execute when submitted through the vulnerable endpoint.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /ekushey/index.php/client/project_message/add with script tags in parameters
Multiple failed login attempts followed by successful access to message functionality

Network Indicators:

HTTP requests containing script tags or JavaScript in POST body parameters
Outbound connections to suspicious domains from CRM sessions

SIEM Query:

source="web_logs" AND uri="/ekushey/index.php/client/project_message/add" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-40989

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (21.8th percentile)

Published: October 2, 2025

Last Updated: October 8, 2025

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-creativeitem-products Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-40989, you might also want to check these: