20250207.0.1
CVE-2025-1360 describes a problematic cross-site scripting (XSS) vulnerability discovered in Sublime CRM versions up to 20250207. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The affected component is the HTTP POST Request Handler within the /crm/inicio.php file. A fix is available in version 20250207.0.1.
Successful exploitation of CVE-2025-1360 allows an attacker to inject arbitrary JavaScript code into the Sublime CRM application. This can lead to various malicious outcomes, including session hijacking, phishing attacks, and defacement of the CRM interface. An attacker could potentially steal sensitive customer data stored within the CRM, such as contact information, sales records, and financial details. The impact is amplified if the CRM is integrated with other systems, as the attacker could potentially gain access to those systems as well. The vulnerability's remote accessibility increases the risk of widespread exploitation.
CVE-2025-1360 was publicly disclosed on 2025-02-16. The vendor, Internet Web Solutions, was contacted prior to disclosure but did not respond. As of this writing, there are no publicly known proof-of-concept exploits. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation, but the potential impact warrants immediate attention. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.11% (30% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1360 is to upgrade Sublime CRM to version 20250207.0.1 or later. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'msgto' parameter within the /crm/inicio.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies and procedures to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload via the 'msgto' parameter and verifying that it is properly sanitized.
Update Sublime CRM to a version later than 20250207, if available, that fixes the XSS vulnerability. If no version is available, consider disabling or removing the affected component (inicio.php) or implementing input sanitization measures for the msg_to parameter in inicio.php to prevent XSS code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1360 is a cross-site scripting (XSS) vulnerability in Sublime CRM versions up to 20250207, allowing attackers to inject malicious scripts.
You are affected if you are using Sublime CRM versions prior to 20250207.0.1.
Upgrade to Sublime CRM version 20250207.0.1 or later. Implement input validation and output encoding as a temporary workaround.
As of now, there are no publicly known active exploits for CVE-2025-1360, but the vulnerability remains a risk.
Refer to the Internet Web Solutions website or their security advisory page for the official advisory regarding CVE-2025-1360.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.