Multiple vulnerabilities in Energy CRM by Status Tracker
Posted date 10/10/2025
Identificador
INCIBE-2025-0555
Importance
3 - Medium
Affected Resources
Energy CRM, version 2025.
Description
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Energy CRM by Status Tracker Ltd. The vulnerabilities were discovered by Andrea Intilangelo.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- CVE-2025-40640 and CVE-2025-40643: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79.
Solution
No solution has been reported at this time.
Detail
- CVE-2025-40640: Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_invoice_submit.php”, using the “customerName_0” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
- CVE-2025-40643: Stored Cross-Site Scripting (XSS) vulnerability in Energy CRM v2025 by Status Tracker Ltd, consisting of a stored XSS due to lack of proper validation of user input by sending a POST request to “/crm/create_job_submit.php”, using the “JobCreatedBy” parameter. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
CVE
Explotación
No
Nuevo Fabricante
Energy CRM
Identificador CVE
CVE-2025-40640
Severidad
Media
Explotación
No
Nuevo Fabricante
Energy CRM
Identificador CVE
CVE-2025-40643
Severidad
Media
References list
Etiquetas
