CVE-2025-10346
📋 TL;DR
This CVE describes a stored HTML injection vulnerability in Perfex CRM v3.2.1 that allows attackers to inject malicious HTML content into knowledge base articles. The vulnerability affects all users of Perfex CRM v3.2.1 who have access to create or modify knowledge base articles. Successful exploitation could lead to cross-site scripting attacks against other users viewing the compromised articles.
💻 Affected Systems
- Perfex CRM
📦 What is this software?
Perfex Crm by Perfexcrm
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users, potentially leading to account compromise and data theft.
Likely Case
Attackers inject HTML that displays misleading information, defaces the knowledge base, or redirects users to malicious sites, compromising the integrity of the CRM system.
If Mitigated
With proper input validation and output encoding, injected HTML would be rendered as plain text rather than executable code, preventing any malicious impact.
🎯 Exploit Status
Exploitation requires authenticated access to create or modify knowledge base articles. The vulnerability is in the 'subject' parameter of the knowledge_base/article endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after v3.2.1
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-perfex-crm
Restart Required: No
Instructions:
1. Update Perfex CRM to the latest version. 2. Verify the patch by checking that HTML injection in the 'subject' parameter is no longer possible. 3. Review existing knowledge base articles for malicious content.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize HTML tags in the 'subject' parameter before processing.
Implement input sanitization in the knowledge_base/article endpoint controller
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with HTML injection rules
- Disable knowledge base article creation/modification for non-admin users
🔍 How to Verify
Check if Vulnerable:
Attempt to inject HTML tags like <script>alert('test')</script> into the 'subject' parameter when creating a knowledge base article. If the script executes when viewing the article, the system is vulnerable.Check Version:
Check the Perfex CRM version in the admin panel or via the application's version file.Verify Fix Applied:
After patching, repeat the HTML injection test. The HTML should be displayed as plain text rather than executed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to knowledge_base/article with HTML tags in parameters
- Multiple failed injection attempts
Network Indicators:
- HTTP POST requests containing script tags or other HTML injection payloads
SIEM Query:
source="web_logs" AND uri="/knowledge_base/article" AND method="POST" AND (param="subject" AND value CONTAINS "<script>" OR value CONTAINS "javascript:")