Multiple vulnerabilities in Creativeitem products

Posted date 02/10/2025
Identificador
INCIBE-2025-0535
Importance
3 - Medium
Affected Resources
  • Ekushey CRM, v5.0;
  • Sociopro.
Description

INCIBE has coordinated the publication of 4 vulnerabilities of medium severity, affecting Ekushey CRM and Sociopro products by Creativeitem, platform for creating private social networks with full interaction features. 

The vulnerabilities were discovered by Gonzalo Aguilar García (6h4ack).

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • From CVE-2025-40989 to CVE-2025-40992: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79.
Solution

There is no reported solution at this time.

Detail

Creativeitem Ekushey CRM v5.0 has three Stored XSS vulnerabilities due to lack of proper validation of user input when he/she sends a POST request. The relationship between parameters and assigned identifiers is as follows: 

  • CVE-2025-40989: parameter 'message' in '/ekushey/index.php/client/project_message/add/xxx'.
  • CVE-2025-40990: parameters 'title' and 'description' in '/ekushey/index.php/client/project_bug/create/xxx'.
  • CVE-2025-40991: parameter 'description' in '/ekushey/index.php/client/project_file/upload/xxxx'.

CVE-2025-40992: Stored XSS vulnerability in Creativeitem Sociopro due to lack of proper validation of user inputs via the endpoint '/sociopro/profile/update_profile', affecting to 'name' parameter via POST. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her cookie session details.

CVE
Explotación
No
Nuevo Fabricante
Creativeitem
Identificador CVE
CVE-2025-40989
Severidad
Media
Explotación
No
Nuevo Fabricante
Creativeitem
Identificador CVE
CVE-2025-40990
Severidad
Media
Explotación
No
Nuevo Fabricante
Creativeitem
Identificador CVE
CVE-2025-40991
Severidad
Media
Explotación
No
Nuevo Fabricante
Creativeitem
Identificador CVE
CVE-2025-40992
Severidad
Media
References list
Etiquetas