CVE-2018-18417

MEDIUM

Ekushey Project Manager CRM 3.1 - Stored Cross-Site Scripting via Client Name Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-18417. PoCs published by Ismail Tasdelen.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Ekushey Project Manager CRM 3.1 by injecting malicious scripts into form fields (e.g., name, address, short_note) and file uploads. The payloads trigger JavaScript alerts when rendered in the application.

Description

In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload sections, as demonstrated by the name parameter to the index.php/admin/client/create URI.

Exploits (1)

exploitdb WORKING POC
by Ismail Tasdelen · textwebappsphp
https://www.exploit-db.com/exploits/45681

This exploit demonstrates a stored XSS vulnerability in Ekushey Project Manager CRM 3.1 by injecting malicious scripts into form fields (e.g., name, address, short_note) and file uploads. The payloads trigger JavaScript alerts when rendered in the application.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Ekushey Project Manager CRM 3.1
Auth required
Prerequisites: Access to an authenticated session (ci_session cookie) · Ability to submit POST requests to the target endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45681/

Scores

CVSS v3 5.4
EPSS 0.0164
EPSS Percentile 73.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
creativeitem/ekushey_project_manager 3.1
Published Oct 19, 2018
Tracked Since Feb 18, 2026