CVE-2025-40991
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Ekushey CRM v5.0 allows attackers to inject malicious scripts via the description parameter when uploading project files. This affects all users of the vulnerable version and could lead to session hijacking. Attackers must first authenticate to exploit this vulnerability.
💻 Affected Systems
- Ekushey CRM by Creativeitem
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full control of the CRM system, accesses sensitive client data, and potentially compromises the entire organization's customer information.
Likely Case
Attacker steals user session cookies to impersonate legitimate users, accesses their CRM data, and performs unauthorized actions within their permission scope.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized, preventing session theft while maintaining normal functionality.
🎯 Exploit Status
Exploitation requires authenticated access; stored XSS payloads are simple to craft and execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-creativeitem-products
Restart Required: No
Instructions:
1. Monitor vendor for security updates. 2. Apply patches when available. 3. Test in development environment before production deployment.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize description parameter content
Implement regex filtering: /[^a-zA-Z0-9\s.,!?-]/
Use PHP htmlspecialchars() or equivalent
Content Security Policy
allImplement CSP headers to restrict script execution sources
Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to .htaccess or web server configuration
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in POST requests
- Enable HttpOnly and Secure flags on session cookies to limit cookie theft impact
🔍 How to Verify
Check if Vulnerable:
Test by uploading a project file with description parameter containing <script>alert('XSS')</script> and check if script executes when viewing the fileCheck Version:
Check Ekushey CRM version in admin panel or via /ekushey/index.php/admin/system_settingsVerify Fix Applied:
Attempt the same test payload; script should not execute and input should be properly encoded in output📡 Detection & Monitoring
Log Indicators:
- POST requests to /ekushey/index.php/client/project_file/upload/ with script tags in parameters
- Unusual file upload patterns from single users
Network Indicators:
- HTTP requests containing <script> tags in POST body parameters
- Multiple file upload attempts with similar payloads
SIEM Query:
source="web_logs" AND uri_path="/ekushey/index.php/client/project_file/upload/*" AND (http_method="POST" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))