CVE-2025-40643 in Energy CRM
Summary
by MITRE • 10/23/2025
Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/01/2025
The stored cross-site scripting vulnerability identified as CVE-2025-40643 affects Energy CRM v2025, a customer relationship management system developed by Status Tracker Ltd. This critical security flaw resides within the application's input validation mechanisms, specifically within the job creation submission endpoint at /crm/create_job_submit.php. The vulnerability manifests when the application fails to properly sanitize user-supplied data, particularly the JobCreatedBy parameter which is processed through a POST request. This oversight creates a persistent XSS attack vector that can be exploited by malicious actors to inject malicious scripts into the application's data storage, which then executes when other users access the affected content.
The technical exploitation of this vulnerability follows a well-established pattern that aligns with CWE-079 (Cross-site Scripting) and represents a classic stored XSS implementation. Attackers can craft malicious payloads containing JavaScript code and submit them through the vulnerable JobCreatedBy parameter, which gets stored in the application's database without proper sanitization. When authenticated users navigate to pages displaying this stored data, their browsers execute the malicious scripts within the context of their active sessions. This execution context is particularly dangerous as it allows attackers to access the victim's session cookies, effectively hijacking their authenticated sessions and gaining unauthorized access to the CRM system with the privileges of the compromised user.
The operational impact of this vulnerability extends beyond simple session theft, as it provides attackers with persistent access to sensitive customer data within the Energy CRM system. The stored nature of the vulnerability means that the malicious code remains active even after the initial injection, continuously affecting any user who encounters the compromised data. This creates a persistent threat vector that can be leveraged for extended periods without detection, potentially leading to data exfiltration, unauthorized data modification, or privilege escalation within the system. The attack requires only that a victim accesses pages containing the stored malicious content, making it particularly insidious as it can affect any authenticated user who interacts with the compromised job records.
Organizations should implement immediate mitigations to address this vulnerability, including input validation and output encoding measures that align with OWASP Top Ten recommendations and ATT&CK technique T1531 (Establishing Persistence). The most effective immediate solution involves implementing strict validation of the JobCreatedBy parameter to reject or sanitize any potentially malicious input, combined with proper output encoding when displaying user-supplied content. Additionally, implementing Content Security Policy (CSP) headers can provide an additional layer of protection by restricting script execution within the application. Regular security audits and input validation testing should be conducted to prevent similar vulnerabilities in other application components, with particular attention to all user-input handling mechanisms that store data in persistent storage systems. The vulnerability demonstrates the critical importance of implementing defense-in-depth strategies that include both server-side validation and client-side security measures to protect against persistent XSS threats.