Multiple vulnerabilities in Creativeitem products
- Ekushey CRM, v5.0;
- Sociopro.
INCIBE has coordinated the publication of 4 vulnerabilities of medium severity, affecting Ekushey CRM and Sociopro products by Creativeitem, platform for creating private social networks with full interaction features.
The vulnerabilities were discovered by Gonzalo Aguilar García (6h4ack).
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- From CVE-2025-40989 to CVE-2025-40992: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79.
There is no reported solution at this time.
Creativeitem Ekushey CRM v5.0 has three Stored XSS vulnerabilities due to lack of proper validation of user input when he/she sends a POST request. The relationship between parameters and assigned identifiers is as follows:
- CVE-2025-40989: parameter 'message' in '/ekushey/index.php/client/project_message/add/xxx'.
- CVE-2025-40990: parameters 'title' and 'description' in '/ekushey/index.php/client/project_bug/create/xxx'.
- CVE-2025-40991: parameter 'description' in '/ekushey/index.php/client/project_file/upload/xxxx'.
CVE-2025-40992: Stored XSS vulnerability in Creativeitem Sociopro due to lack of proper validation of user inputs via the endpoint '/sociopro/profile/update_profile', affecting to 'name' parameter via POST. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her cookie session details.
