CVE-2025-40990 is a stored Cross-Site Scripting (XSS) vulnerability identified in version 5.0 of the Ekushey CRM software developed by Creativeitem. The vulnerability arises from improper neutralization of user input during web page generation, specifically in the handling of the 'title' and 'description' parameters submitted via POST requests to the endpoint /ekushey/index.php/client/project_bug/create/xxx. Because the application fails to properly validate and sanitize these inputs, an attacker with authenticated access can inject malicious scripts that are stored on the server and subsequently executed in the browsers of other authenticated users who view the affected pages. This can lead to session cookie theft, enabling attackers to hijack user sessions and potentially escalate privileges or access sensitive CRM data. The CVSS v4.0 base score is 5.1, indicating a medium severity level. The vector details show that the attack can be performed remotely over the network without requiring elevated privileges, but it does require the attacker to be authenticated and user interaction (viewing the malicious content) is necessary. The vulnerability does not affect confidentiality, integrity, or availability directly but compromises user session confidentiality through client-side script execution. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability was assigned by INCIBE and publicly disclosed on October 2, 2025.

For European organizations using Ekushey CRM v5.0, this vulnerability poses a significant risk to the confidentiality of user sessions and potentially sensitive customer relationship data. Since CRM systems typically store critical business information such as client contacts, project details, and internal communications, session hijacking could lead to unauthorized data access, data leakage, or manipulation of CRM records. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), and financial losses. The requirement for attacker authentication limits the attack surface to insiders or compromised accounts, but the stored nature of the XSS means that once injected, multiple users can be affected without further attacker interaction. The medium severity rating suggests a moderate risk, but the impact on session security and potential for lateral movement within the organization should not be underestimated. European organizations with remote or hybrid workforces may be particularly vulnerable if users access the CRM from less secure environments.

To mitigate this vulnerability, organizations should implement strict input validation and output encoding on the 'title' and 'description' parameters within the Ekushey CRM application. Specifically, all user-supplied data must be sanitized to neutralize HTML and script tags before storage and rendering. Employing a robust web application firewall (WAF) with rules targeting XSS payloads can provide an additional layer of defense. Organizations should enforce strong authentication mechanisms and monitor user activity for anomalous behavior indicative of exploitation attempts. Since no official patch is currently available, temporary mitigations include restricting access to the vulnerable endpoint to trusted users only and educating users about the risks of clicking on suspicious links within the CRM. Regular security audits and penetration testing focused on input validation should be conducted. Once a patch is released by Creativeitem, prompt application of updates is critical. Additionally, implementing Content Security Policy (CSP) headers can reduce the impact of XSS by restricting script execution sources.