Multiple vulnerabilities in Perfex CRM

Posted date 29/09/2025
Identificador
INCIBE-2025-0523
Importance
3 - Medium
Affected Resources

Perfex CRM, v3.2.1.

Description

INCIBE has coordinated the publication of 6 vulnerabilities of medium severity, affecting Perfex CRM de Perfex CRM, a customer relationship management system. The vulnerabilities were discovered by Gonzalo Aguilar García (6h4ack).

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • From CVE-2025-10341 to CVE-2025-10346: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N | CWE-79.
Solution

The vulnerabilities have been fixed by Perfex CRM team in version 3.4.0.

Detail

HTML injection vulnerabilities in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows:

  • CVE-2025-10341: parameter 'company' in '/clients/client/x';
  • CVE-2025-10342: parameter 'name' in '/subscriptions/create';
  • CVE-2025-10343: parameter 'expense_name' in '/expenses/expense';
  • CVE-2025-10344: parameters 'name' and 'clientid' in '/projects/project/x';
  • CVE-2025-10345: parameters 'name' and 'address' in '/admin/leads/lead';
  • CVE-2025-10346: parameter 'subject' in '/knowledge_base/article'.
CVE
Explotación
No
References list
Etiquetas