CVE-2025-55903
📋 TL;DR
A HTML injection vulnerability in Perfex CRM v3.3.1 allows attackers to inject arbitrary HTML into the 'Bill To' address field in the estimate module. This HTML is rendered unescaped in client-facing documents, potentially enabling phishing attacks or content manipulation. All users of Perfex CRM v3.3.1 who generate estimates are affected.
💻 Affected Systems
- Perfex CRM
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious scripts that execute in clients' browsers when viewing estimates, leading to session hijacking, credential theft, or malware distribution through client documents.
Likely Case
Attackers inject phishing content or deface estimates to impersonate legitimate business communications, damaging trust and potentially redirecting payments.
If Mitigated
With proper input validation and output encoding, HTML injection would be neutralized, rendering injected content as harmless text.
🎯 Exploit Status
Exploitation requires authenticated access to create or edit estimates; public proof-of-concept code is available on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://codecanyon.net/item/perfex-powerful-open-source-crm/14013737
Restart Required: No
Instructions:
Check vendor website for updates; if no patch, implement input validation and output encoding in the estimate module code.
🔧 Temporary Workarounds
Input Sanitization
allAdd server-side validation to sanitize HTML tags from the 'Bill To' address field before processing.
Edit the relevant PHP file in the estimate module to apply htmlspecialchars() or similar filtering to user input.
Output Encoding
allEnsure all user-controlled data in estimates is HTML-encoded before rendering in documents.
Modify document generation templates to use htmlentities() or equivalent encoding functions.
🧯 If You Can't Patch
- Restrict access to the estimate module to trusted users only.
- Monitor and audit estimate creation for suspicious HTML content in address fields.
🔍 How to Verify
Check if Vulnerable:
Create an estimate with HTML tags (e.g., <script>alert('test')</script>) in the 'Bill To' address field and check if they execute or render in the generated document.Check Version:
Check the Perfex CRM version in the admin panel or via the application's configuration files.Verify Fix Applied:
After applying fixes, repeat the test; HTML should appear as plain text without execution.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML or script tags in estimate-related logs or database entries for address fields.
Network Indicators:
- Unexpected HTML content in estimate documents served to clients.
SIEM Query:
Search for patterns like '<script>' or 'javascript:' in estimate creation/modification events.