CVE-2025-10345
📋 TL;DR
This CVE describes a stored HTML injection vulnerability in Perfex CRM v3.2.1 where attackers can inject malicious HTML/JavaScript into the 'name' and 'address' fields when creating leads. This allows attackers to perform cross-site scripting attacks that affect all users who view the compromised lead data. The vulnerability affects administrators and users with lead management access.
💻 Affected Systems
- Perfex CRM
📦 What is this software?
Perfex Crm by Perfexcrm
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin session cookies, perform account takeover, redirect users to malicious sites, or deface the CRM interface for all users viewing compromised leads.
Likely Case
Attackers inject malicious scripts that steal user session cookies or credentials when users view compromised lead records, leading to account compromise.
If Mitigated
With proper input validation and output encoding, injected HTML would be rendered as plain text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to the vulnerable endpoint. Attackers need to craft malicious HTML/JavaScript payloads in the name and address parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.2.2 or later
Vendor Advisory: https://www.perfexcrm.com/
Restart Required: No
Instructions:
1. Backup your current installation. 2. Download the latest version from the official Perfex CRM website. 3. Replace the affected files with the patched version. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize HTML tags in name and address fields before processing.
Implement HTML entity encoding for user inputs in the lead creation/update functions
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious HTML/JavaScript payloads.
- Restrict access to the admin/leads/lead endpoint to only trusted IP addresses or users.
🔍 How to Verify
Check if Vulnerable:
Test by creating a lead with HTML tags in name/address fields (e.g., <script>alert('test')</script>) and check if they execute when viewing the lead.Check Version:
Check the version in the admin dashboard or review the application's version file.Verify Fix Applied:
After patching, attempt the same test payloads and verify they are displayed as plain text rather than executed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin/leads/lead with HTML/JavaScript in parameters
- Multiple lead creations/modifications with suspicious content
Network Indicators:
- HTTP requests containing script tags or JavaScript in POST parameters to the vulnerable endpoint
SIEM Query:
source="web_logs" AND (uri_path="/admin/leads/lead" AND (param_name="name" OR param_name="address") AND param_value MATCHES "<script.*>.*</script>" OR "javascript:")