Platform
php
Component
perfex-crm
Fixed in
3.2.1
3.2.2
CVE-2025-2974 is a problematic cross-site scripting (XSS) vulnerability affecting Perfex CRM versions 3.2.0 through 3.2.1. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides within the Contracts module, specifically in the handling of the 'content' argument in the /contract file. A fix is available in version 3.2.2.
Successful exploitation of CVE-2025-2974 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the CRM interface. An attacker could potentially gain access to sensitive customer data, financial records, and other confidential information stored within the Perfex CRM system. The impact is amplified if the CRM is used to manage critical business processes or handle sensitive personal data, as a successful attack could disrupt operations and damage the organization's reputation.
CVE-2025-2974 was publicly disclosed on 2025-03-31. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant prompt attention. No known active campaigns targeting this vulnerability have been reported as of this writing, but the public disclosure makes it a potential target for opportunistic attackers. No public proof-of-concept (PoC) code has been published, but the vulnerability's nature suggests that a simple PoC could be developed relatively easily.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2974 is to immediately upgrade Perfex CRM to version 3.2.2 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'content' parameter within the /contract file to prevent malicious script injection. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of defense. Regularly review and update security rules to reflect the latest threat intelligence.
Update Perfex CRM to a version later than 3.2.1. This will resolve the Cross-Site Scripting (XSS) vulnerability in the Contracts component. Refer to the vendor's website for detailed instructions on how to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2974 is a cross-site scripting (XSS) vulnerability in Perfex CRM versions 3.2.0 and 3.2.1, allowing attackers to inject malicious scripts.
You are affected if you are running Perfex CRM versions 3.2.0 or 3.2.1. Upgrade to 3.2.2 or later to mitigate the risk.
The recommended fix is to upgrade Perfex CRM to version 3.2.2 or later. Input validation is a temporary workaround.
While no active campaigns are confirmed, the public disclosure makes it a potential target for exploitation.
Refer to the official Perfex CRM website and security advisories for the latest information and updates regarding CVE-2025-2974.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.