Multiple vulnerabilities in Perfex CRM
Posted date 29/09/2025
Identificador
INCIBE-2025-0523
Importance
3 - Medium
Affected Resources
Perfex CRM, v3.2.1.
Description
INCIBE has coordinated the publication of 6 vulnerabilities of medium severity, affecting Perfex CRM de Perfex CRM, a customer relationship management system. The vulnerabilities were discovered by Gonzalo Aguilar García (6h4ack).
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- From CVE-2025-10341 to CVE-2025-10346: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N | CWE-79.
Solution
The vulnerabilities have been fixed by Perfex CRM team in version 3.4.0.
Detail
HTML injection vulnerabilities in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows:
- CVE-2025-10341: parameter 'company' in '/clients/client/x';
- CVE-2025-10342: parameter 'name' in '/subscriptions/create';
- CVE-2025-10343: parameter 'expense_name' in '/expenses/expense';
- CVE-2025-10344: parameters 'name' and 'clientid' in '/projects/project/x';
- CVE-2025-10345: parameters 'name' and 'address' in '/admin/leads/lead';
- CVE-2025-10346: parameter 'subject' in '/knowledge_base/article'.
CVE
Explotación
No
Nuevo Fabricante
Perfex
Identificador CVE
CVE-2025-10341
Severidad
Media
Explotación
No
Nuevo Fabricante
Perfex
Identificador CVE
CVE-2025-10342
Severidad
Media
Explotación
No
Nuevo Fabricante
Perfex
Identificador CVE
CVE-2025-10343
Severidad
Media
Explotación
No
Nuevo Fabricante
Perfex
Identificador CVE
CVE-2025-10344
Severidad
Media
Explotación
No
Nuevo Fabricante
Perfex
Identificador CVE
CVE-2025-10345
Severidad
Media
Explotación
No
Nuevo Fabricante
Perfex
Identificador CVE
CVE-2025-10346
Severidad
Media
References list
Etiquetas
