CVE-2025-40991 is a stored Cross-Site Scripting (XSS) vulnerability identified in version 5.0 of the Ekushey CRM product developed by Creativeitem. The vulnerability stems from improper neutralization of user-supplied input in the 'description' parameter submitted via POST requests to the endpoint /ekushey/index.php/client/project_file/upload/xxxx. Because the input is not properly sanitized or encoded before being stored and subsequently rendered in web pages, an attacker with authenticated access can inject malicious JavaScript code. When other users view the affected pages, the malicious script executes within their browser context, enabling theft of session cookies or other sensitive information. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), user interaction required (UI:P), and low scope (S:L). The vulnerability does not impact confidentiality, integrity, or availability directly but compromises session confidentiality through cookie theft. No public exploits are currently known, but the vulnerability presents a credible risk for session hijacking and unauthorized access if exploited. The lack of a published patch requires organizations to apply compensating controls promptly. This vulnerability is classified under CWE-79, which is a common and well-understood web application security issue related to improper input validation and output encoding.

For European organizations using Ekushey CRM version 5.0, this vulnerability poses a significant risk of session hijacking through stored XSS attacks. Attackers could leverage this flaw to impersonate legitimate users, potentially gaining unauthorized access to sensitive customer data, internal communications, and business-critical functions managed within the CRM. This could lead to data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR violations), and financial losses. The requirement for attacker authentication and user interaction somewhat limits the attack surface but does not eliminate risk, especially in environments with many users or weak access controls. Industries such as finance, healthcare, and manufacturing that rely heavily on CRM systems for client management and have strict data protection obligations are particularly vulnerable. Additionally, the persistence of the stored XSS payload means that multiple users can be affected over time, amplifying the potential damage. The absence of known exploits in the wild provides a window for proactive mitigation, but organizations should not delay remediation efforts.

1. Implement strict server-side input validation and output encoding for all user-supplied data, especially the 'description' parameter in the affected endpoint, to neutralize malicious scripts before storage or rendering. 2. Deploy a robust Content Security Policy (CSP) to restrict the execution of unauthorized scripts in the browser context. 3. Limit user privileges to the minimum necessary, ensuring that only trusted users can submit content that is rendered to others. 4. Conduct regular security audits and penetration testing focused on web application input handling and XSS vulnerabilities. 5. Monitor application logs and user activity for unusual behavior indicative of exploitation attempts. 6. If patching is not immediately available, consider implementing web application firewall (WAF) rules to detect and block malicious payloads targeting the vulnerable parameter. 7. Educate users about the risks of clicking on suspicious links or content within the CRM to reduce the likelihood of successful exploitation. 8. Engage with the vendor Creativeitem for updates or patches and apply them promptly once released.