CVE-2025-45755 is a Stored Cross-Site Scripting (XSS) vulnerability identified in Vtiger CRM Open Source Edition version 8.3.0. The vulnerability arises from improper sanitization of user input during the import of Services via CSV files. Specifically, an attacker can craft a malicious CSV file containing an XSS payload embedded in the 'Service Name' field. When this file is uploaded through the Services Import feature, the application fails to properly sanitize the input, resulting in persistent script execution within the context of the affected web application. This persistent XSS allows an attacker to execute arbitrary JavaScript code in the browsers of users who view the affected service entries, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability has a CVSS v3.1 base score of 6.1, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that the attack can be performed remotely over the network without privileges, requires user interaction (such as an authenticated user viewing the malicious content), and impacts confidentiality and integrity with a scope change, but does not affect availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-79, which corresponds to improper neutralization of input leading to XSS.

For European organizations using Vtiger CRM Open Source Edition 8.3.0, this vulnerability poses a significant risk to the confidentiality and integrity of their CRM data and user sessions. Since CRM systems often contain sensitive customer information, contact details, and business-critical data, exploitation could lead to unauthorized data disclosure or manipulation. Persistent XSS can also facilitate phishing attacks within the organization by injecting malicious scripts that alter the user interface or redirect users to fraudulent sites. The scope change indicated by the CVSS vector means that the vulnerability can affect components beyond the initially targeted service import feature, potentially compromising other parts of the CRM application. This could disrupt business operations and damage trust with clients and partners. Although no availability impact is noted, the reputational damage and potential regulatory implications under GDPR for data breaches involving personal data could be substantial. The requirement for user interaction (viewing the malicious entry) means that social engineering or insider threat vectors could be leveraged by attackers.

European organizations should implement the following specific mitigations: 1) Immediately restrict or disable the Services Import feature in Vtiger CRM 8.3.0 until a patch is available. 2) Implement strict input validation and sanitization on CSV import functionality, especially for fields that accept free text such as 'Service Name'. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the CRM web interface. 4) Conduct user training to recognize suspicious entries or unexpected behavior within the CRM. 5) Monitor logs for unusual import activities or repeated failed attempts to upload CSV files. 6) If possible, upgrade to a patched or newer version of Vtiger CRM once available. 7) Use web application firewalls (WAFs) with rules targeting XSS payload patterns to provide an additional layer of defense. 8) Regularly audit CRM user permissions to minimize exposure and ensure only trusted users can perform imports. These measures go beyond generic advice by focusing on the specific attack vector and operational context of the vulnerability.