CVE-2025-40990

Name of the Vulnerable Software and Affected Versions Ekushey CRM version 5.0

Description A stored Cross Site Scripting issue exists in Ekushey CRM version 5.0 due to insufficient validation of user-supplied data. The issue is located in the project bug creation functionality, accessible via the /ekushey/index.php/client/project bug/create/xxx API endpoint. The title and description parameters, submitted via a POST request, are vulnerable. Successful exploitation could allow a remote attacker to compromise an authenticated user's cookie session details by sending a malicious query.

Recommendations Apply input validation to the title and description parameters in the /ekushey/index.php/client/project bug/create/xxx API endpoint.