CVE-2025-10342
📋 TL;DR
A stored HTML injection vulnerability in Perfex CRM v3.2.1 allows attackers to inject malicious HTML content via the 'name' parameter in POST requests to the '/subscriptions/create' endpoint. This affects all users of Perfex CRM v3.2.1 who have subscription creation functionality enabled. The vulnerability enables attackers to execute cross-site scripting attacks against legitimate users.
💻 Affected Systems
- Perfex CRM
📦 What is this software?
Perfex Crm by Perfexcrm
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users, potentially leading to account takeover and data theft.
Likely Case
Attackers inject HTML that displays misleading information, defaces the application, or redirects users to malicious sites, compromising user trust and potentially capturing credentials.
If Mitigated
With proper input validation and output encoding, injected HTML would be rendered as plain text rather than executable code, preventing any malicious impact.
🎯 Exploit Status
Exploitation requires the ability to create subscriptions, which typically requires some level of authentication. The vulnerability is stored, meaning injected content persists and affects multiple users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.2.2 or later
Vendor Advisory: https://www.perfexcrm.com/
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download the latest version from the official Perfex CRM website. 3. Replace the affected files with the patched version. 4. Clear any cached data. 5. Verify the fix by testing subscription creation with HTML input.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to strip or escape HTML tags from the 'name' parameter before processing.
Add input sanitization in the subscription creation controller to filter HTML tags from user input
🧯 If You Can't Patch
- Disable subscription creation functionality entirely if not needed
- Implement a web application firewall (WAF) rule to block HTML injection patterns in the 'name' parameter
🔍 How to Verify
Check if Vulnerable:
Attempt to create a subscription with HTML content in the name field (e.g., <script>alert('test')</script>) and check if it's stored and rendered as HTML.Check Version:
Check the version in the Perfex CRM admin panel or review the application's version file.Verify Fix Applied:
After patching, repeat the test with HTML input - it should be stored as plain text or rejected entirely.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to '/subscriptions/create' with HTML tags in parameters
- Multiple failed subscription creation attempts with suspicious content
Network Indicators:
- HTTP POST requests containing HTML/script tags in the 'name' parameter
SIEM Query:
source="web_server" AND uri="/subscriptions/create" AND method="POST" AND (param_name="name" AND value MATCHES "<.*>")