No analysis available yet.
No remediation available yet.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2025-32091 | Exposure of sensitive information in Viday. This vulnerability could allow an attacker to obtain sensitive information about customers by intercepting HTTP requests and searching for the JWT containing sensitive user information in the JWT payload. |
Wed, 15 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. | Exposure of sensitive information in Viday. This vulnerability could allow an attacker to obtain sensitive information about customers by intercepting HTTP requests and searching for the JWT containing sensitive user information in the JWT payload. |
| Title | Multiple vulnerabilities in Energy CRM by Status Tracker | Exposure of sensitive information in Viday |
| Weaknesses | CWE-200 | |
| References |
| |
| Metrics |
cvssV4_0
|
cvssV4_0
|
Mon, 03 Nov 2025 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Energycrm
Energycrm energy Crm |
|
| CPEs | cpe:2.3:a:energycrm:energy_crm:2025:*:*:*:*:*:*:* | |
| Vendors & Products |
Energycrm
Energycrm energy Crm |
|
| Metrics |
cvssV3_1
|
Fri, 10 Oct 2025 09:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 | |
| References |
|
Fri, 10 Oct 2025 08:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Exposure of sensitive information in Viday. This vulnerability could allow an attacker to obtain sensitive information about customers by intercepting HTTP requests and searching for the JWT containing sensitive user information in the JWT payload. | Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. |
| Title | Exposure of sensitive information in Viday | Multiple vulnerabilities in Energy CRM by Status Tracker |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV4_0
|
cvssV4_0
|
Fri, 03 Oct 2025 08:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Viday
Viday viday |
|
| Vendors & Products |
Viday
Viday viday |
Thu, 02 Oct 2025 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 02 Oct 2025 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Exposure of sensitive information in Viday. This vulnerability could allow an attacker to obtain sensitive information about customers by intercepting HTTP requests and searching for the JWT containing sensitive user information in the JWT payload. | |
| Title | Exposure of sensitive information in Viday | |
| Weaknesses | CWE-200 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: INCIBE
Published:
Updated: 2026-07-15T13:02:21.060Z
Reserved: 2025-04-16T08:38:12.620Z
Link: CVE-2025-40646
Updated: 2025-10-02T17:28:58.267Z
Status : Analyzed
Published: 2025-10-02T10:15:38.140
Modified: 2026-06-17T09:21:53.163
Link: CVE-2025-40646
No data.
OpenCVE Enrichment
Updated: 2025-10-03T08:22:54Z
EUVD