CVE-2025-40990 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, discovered in version 5.0 of Creativeitem's Ekushey CRM. The flaw exists due to insufficient sanitization and validation of user-supplied input in the 'title' and 'description' parameters submitted via POST requests to the /ekushey/index.php/client/project_bug/create/xxx endpoint. Because the vulnerability is stored, malicious scripts injected by an attacker persist in the application and execute whenever an authenticated user views the affected content. This enables attackers to execute arbitrary JavaScript in the victim's browser context, potentially stealing session cookies or performing actions on behalf of the user. The attack requires the attacker to be authenticated with at least user-level privileges and to trick other authenticated users into viewing the malicious content, implying some user interaction is necessary. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required beyond authentication (PR:L), user interaction required (UI:P), and limited scope impact (S:L). No known exploits are currently reported in the wild, but the vulnerability poses a credible risk to confidentiality and session integrity. The lack of vendor patches or mitigations at the time of publication increases urgency for defensive measures. This vulnerability highlights the importance of proper input validation and output encoding in web applications, especially CRM systems that handle sensitive client and project data.

For European organizations using Ekushey CRM 5.0, this vulnerability could lead to session hijacking and unauthorized access to sensitive customer relationship management data. Attackers exploiting this flaw can impersonate legitimate users, potentially gaining access to confidential client information, project details, and internal communications. This could result in data breaches, reputational damage, and regulatory non-compliance under GDPR due to exposure of personal data. The medium severity score reflects that while the attack requires authentication and user interaction, the impact on confidentiality and integrity is significant. Availability is less affected. Organizations in sectors with high reliance on CRM systems, such as finance, consulting, and sales, are particularly vulnerable. The persistence of malicious scripts also increases the risk of widespread compromise within an organization if multiple users access the infected content. Furthermore, the lack of known exploits currently may lead to complacency, but the vulnerability could be weaponized in targeted phishing or insider threat scenarios.

European organizations should immediately audit their use of Ekushey CRM version 5.0 and plan for an upgrade or patch once available from Creativeitem. In the absence of an official patch, implement strict input validation and output encoding on the 'title' and 'description' fields at the web application firewall (WAF) or reverse proxy level to block or sanitize suspicious payloads. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in users' browsers. Enforce multi-factor authentication (MFA) to reduce the risk of compromised credentials being exploited. Conduct user awareness training to recognize and avoid interacting with suspicious links or content within the CRM. Regularly monitor logs for unusual activity related to the vulnerable endpoint and session anomalies. Segregate user roles and limit permissions to minimize the impact of compromised accounts. Finally, maintain an incident response plan tailored to web application attacks to quickly contain and remediate any exploitation attempts.