PT-2025-43438 · Unknown · Energy Crm
Andrea Intilangelo
·
Published
2025-10-23
·
Updated
2025-10-23
·
CVE-2025-40643
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Energy CRM version 2025
Description
A stored Cross-Site Scripting (XSS) issue exists due to insufficient validation of user-supplied data. A remote user can exploit this by sending a POST request to the
/crm/create job submit.php endpoint, specifically utilizing the JobCreatedBy parameter. Successful exploitation could allow an attacker to steal the cookie session details of an authenticated user.Recommendations
Ensure proper validation of user input for the
JobCreatedBy parameter in the /crm/create job submit.php endpoint.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Energy Crm