Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Advisories

No advisories yet.

Fixes

Solution

No solution has been reported at this time.


Workaround

No workaround given by the vendor.

History

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 23 Oct 2025 11:00:00 +0000

Type Values Removed Values Added
Description Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
Title Stored Cross-Site Scripting (XSS) in Energy CRM by Status Tracker
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2025-10-23T14:41:23.192Z

Reserved: 2025-04-16T08:38:10.820Z

Link: CVE-2025-40643

cve-icon Vulnrichment

Updated: 2025-10-23T14:41:20.260Z

cve-icon NVD

Status : Received

Published: 2025-10-23T11:15:31.507

Modified: 2025-10-23T11:15:31.507

Link: CVE-2025-40643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.