CVE-2025-40990

Medium CVSS: 5.1

Stored Cross Site Scripting vulnerability in Ekushey CRM v5.0 by Creativeitem, due to lack of proper validation of user inputs via the "/ekushey/index.php/client/project_bug/create/xxx", affecting to "title" and "description" parameters via POST. This vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her cookie session details.

Vendor

Creativeitem

Product

Ekushey Project Manager Crm

CWE

CWE-79

Yayın Tarihi

2025-10-02 11:15:29

Güncelleme

2025-10-08 20:45:17

Source Identifier

cve-coordination@incibe.es

KEV Date Added

Kategoriler

CWE-79 Ekushey Project Manager Crm MEDIUM Creativeitem 2025

Referanslar

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-creativeitem-products

Benzer Kayıtlar

Medium

CVE-2025-71179

Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to t…

Medium

CVE-2023-53876

Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with…

Medium

CVE-2025-56748

Creativeitem Academy LMS up to and including 5.13 uses predictable password reset tokens based on Base64 encoded templat…

Critical

CVE-2025-56749

Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictabl…

Low

CVE-2025-56746

Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabli…

Medium

CVE-2025-56747

Creativeitem Academy LMS up to and including 5.13 contains a privilege escalation vulnerability in the Api_instructor co…