Plattform
php
Komponente
vulnerability-research
Behoben in
3.2.2
CVE-2025-3219 is a cross-site scripting (XSS) vulnerability discovered in the Project Discussions Module of Perfex CRM, affecting versions 3.2.1 through 3.2.1. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. A fix is available in version 3.2.2, and users are strongly advised to upgrade immediately.
The vulnerability lies within the handling of the 'description' argument in the /perfex/clients/project/2 file of the Project Discussions Module. An attacker can inject arbitrary JavaScript code through this parameter, which will then be executed in the context of a user's browser when they view the affected page. This could lead to session hijacking, defacement of the CRM interface, or the theft of sensitive information such as usernames, passwords, and financial data. The impact is amplified if the CRM is used to manage sensitive client information or financial transactions, as a successful attack could expose this data to unauthorized parties.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date, but the availability of a public exploit increases the risk. The vulnerability was added to the NVD on 2025-04-04.
Organizations using Perfex CRM version 3.2.1, particularly those handling sensitive client data or financial information, are at significant risk. Shared hosting environments where multiple clients share the same CRM instance are also particularly vulnerable, as a compromise of one client's account could potentially affect others.
• php / web: Examine project discussion pages for unusual JavaScript behavior. Use browser developer tools to inspect the source code and identify any injected scripts.
• generic web: Use curl/wget to test the /perfex/clients/project/2 endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>). Check the response for the alert box.
• generic web: Review access and error logs for suspicious requests targeting the /perfex/clients/project/2 endpoint.
• generic web: Check response headers for Content-Security-Policy (CSP) directives that might mitigate XSS attacks.
disclosure
Exploit-Status
EPSS
0.15% (35% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-3219 is to upgrade Perfex CRM to version 3.2.2 or later, which contains the necessary fix. If an immediate upgrade is not possible, consider implementing temporary workarounds such as input validation and output encoding on the 'description' field. Web application firewalls (WAFs) can also be configured to filter out potentially malicious JavaScript code. Regularly review and update your CRM's security configuration to minimize the risk of exploitation. After upgrade, confirm by attempting to inject a simple JavaScript payload into the project description field and verifying that it is properly sanitized.
Actualice Perfex CRM a una versión posterior a 3.2.1 que incluya la corrección para la vulnerabilidad XSS en el módulo Project Discussions. Consulte el registro de cambios de Perfex CRM o las notas de la versión para obtener más detalles sobre la actualización y la corrección específica. Si no hay una versión corregida disponible, considere deshabilitar el módulo Project Discussions hasta que se publique una actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-3219 is a cross-site scripting (XSS) vulnerability affecting Perfex CRM versions 3.2.1–3.2.1, allowing attackers to inject malicious scripts.
If you are using Perfex CRM version 3.2.1, you are vulnerable to this XSS attack. Upgrade to 3.2.2 or later to mitigate the risk.
Upgrade Perfex CRM to version 3.2.2 or later. As a temporary workaround, implement input validation and output encoding on the 'description' field.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation.
Refer to the official Perfex CRM website and security advisories for the latest information and updates regarding CVE-2025-3219.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.