CVE-2025-40991 is a stored Cross-Site Scripting (XSS) vulnerability identified in version 5.0 of the Ekushey CRM software developed by Creativeitem. This vulnerability arises from improper neutralization of user input during web page generation, specifically related to the 'description' parameter submitted via POST requests to the endpoint '/ekushey/index.php/client/project_file/upload/xxxx'. Because the application fails to properly validate and sanitize this input, an attacker with authenticated access can inject malicious scripts that are stored on the server and subsequently executed in the browsers of other authenticated users who view the affected content. The attack vector does not require user interaction beyond viewing the malicious content, and no elevated privileges beyond authentication are necessary. Exploiting this vulnerability could allow an attacker to steal session cookies, enabling session hijacking and potentially unauthorized access to user accounts within the CRM. The CVSS v4.0 base score is 5.1, reflecting a medium severity level, with network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction required (viewing the malicious content). The vulnerability has not been reported as exploited in the wild, and no patches have been publicly released at this time. The CWE classification is CWE-79, which corresponds to improper neutralization of input leading to XSS. The vulnerability impacts confidentiality primarily by enabling cookie theft, which could lead to further unauthorized access and data exposure within the CRM environment.

For European organizations using Ekushey CRM v5.0, this vulnerability poses a moderate risk to the confidentiality and integrity of sensitive customer relationship data. Since CRM systems typically store critical business information, including client contacts, project details, and communication logs, successful exploitation could lead to unauthorized data access or manipulation. The ability to hijack authenticated sessions may allow attackers to impersonate legitimate users, potentially leading to data exfiltration, unauthorized changes, or further lateral movement within the organization's network. Given that the vulnerability requires authentication, the threat is more significant in environments where user accounts have weak access controls or where phishing or credential theft is prevalent. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks, especially in sectors with high-value data such as finance, legal, or government agencies. Additionally, the stored nature of the XSS means that malicious scripts persist on the server, increasing the window of exposure. European organizations must consider the potential regulatory implications under GDPR if personal data is compromised due to this vulnerability.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately review and restrict access to the affected endpoint, ensuring only trusted users can submit data to '/ekushey/index.php/client/project_file/upload/xxxx'. 2) Implement strict input validation and output encoding on the 'description' parameter to neutralize any malicious scripts before storage and rendering. This includes using context-aware encoding libraries that handle HTML, JavaScript, and URL contexts appropriately. 3) Enforce the principle of least privilege for CRM user accounts to minimize the impact of compromised sessions. 4) Monitor application logs for unusual POST requests or unexpected script content submissions to detect potential exploitation attempts. 5) Educate users about the risks of clicking on suspicious links or content within the CRM, as user interaction is required to trigger the exploit. 6) If possible, isolate the CRM environment and apply web application firewalls (WAF) with rules designed to detect and block XSS payloads targeting the vulnerable parameter. 7) Engage with the vendor, Creativeitem, to obtain or request a security patch or update that addresses this vulnerability. 8) Conduct regular security assessments and penetration tests focusing on input validation and session management controls within the CRM.