CVE-2025-10343
📋 TL;DR
This CVE describes a stored HTML injection vulnerability in Perfex CRM v3.2.1 where attackers can inject malicious HTML via the 'expense_name' parameter in POST requests to the '/expenses/expense' endpoint. This affects all Perfex CRM v3.2.1 installations, potentially allowing attackers to deface pages, steal session cookies, or redirect users to malicious sites.
💻 Affected Systems
- Perfex CRM
📦 What is this software?
Perfex Crm by Perfexcrm
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious scripts that steal session cookies, perform account takeover, redirect users to phishing sites, or deface the CRM interface for all users.
Likely Case
Attackers inject HTML/JavaScript to deface expense pages, steal session cookies from authenticated users, or redirect users to malicious sites.
If Mitigated
With proper input validation and output encoding, injected HTML would be rendered as plain text rather than executed, preventing exploitation.
🎯 Exploit Status
Exploitation requires authenticated access to create expenses. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.2.2 or later
Vendor Advisory: https://www.perfexcrm.com/
Restart Required: No
Instructions:
1. Backup your Perfex CRM installation and database. 2. Download the latest version from the official Perfex CRM website. 3. Replace the existing installation files with the updated version. 4. Run any database update scripts if provided. 5. Verify the fix by testing the expense creation functionality.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize HTML tags from the expense_name parameter before processing.
In the expense creation controller, add: $expense_name = htmlspecialchars($_POST['expense_name'], ENT_QUOTES, 'UTF-8');
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with rules to block HTML injection patterns in POST requests to '/expenses/expense'.
- Restrict access to the expense creation functionality to only trusted users and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Create an expense with HTML content in the expense_name field (e.g., <script>alert('test')</script>) and check if it executes when viewing the expense list.Check Version:
Check the version in the Perfex CRM admin panel under System > Updates or view the application/config/config.php file for version information.Verify Fix Applied:
After patching, attempt the same HTML injection test. The HTML should be displayed as plain text rather than executed.📡 Detection & Monitoring
Log Indicators:
- POST requests to '/expenses/expense' with HTML tags in parameters
- Unusual expense names containing script tags or HTML entities
Network Indicators:
- POST requests containing HTML/JavaScript patterns in expense_name parameter
SIEM Query:
source="web_logs" AND uri="/expenses/expense" AND method="POST" AND (expense_name CONTAINS "<script>" OR expense_name CONTAINS "javascript:")