Platform
php
Component
vulnerability-research
Fixed in
3.2.2
CVE-2025-3219 is a cross-site scripting (XSS) vulnerability discovered in the Project Discussions Module of Perfex CRM, affecting versions 3.2.1 through 3.2.1. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and sensitive data. A fix is available in version 3.2.2, and users are strongly advised to upgrade immediately.
The vulnerability lies within the handling of the 'description' argument in the /perfex/clients/project/2 file of the Project Discussions Module. An attacker can inject arbitrary JavaScript code through this parameter, which will then be executed in the context of a user's browser when they view the affected page. This could lead to session hijacking, defacement of the CRM interface, or the theft of sensitive information such as usernames, passwords, and financial data. The impact is amplified if the CRM is used to manage sensitive client information or financial transactions, as a successful attack could expose this data to unauthorized parties.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date, but the availability of a public exploit increases the risk. The vulnerability was added to the NVD on 2025-04-04.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-3219 is to upgrade Perfex CRM to version 3.2.2 or later, which contains the necessary fix. If an immediate upgrade is not possible, consider implementing temporary workarounds such as input validation and output encoding on the 'description' field. Web application firewalls (WAFs) can also be configured to filter out potentially malicious JavaScript code. Regularly review and update your CRM's security configuration to minimize the risk of exploitation. After upgrade, confirm by attempting to inject a simple JavaScript payload into the project description field and verifying that it is properly sanitized.
Update Perfex CRM to a version later than 3.2.1 that includes the fix for the XSS vulnerability in the Project Discussions module. Consult the Perfex CRM changelog or release notes for more details about the update and the specific fix. If no patched version is available, consider disabling the Project Discussions module until an update is released.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3219 is a cross-site scripting (XSS) vulnerability affecting Perfex CRM versions 3.2.1–3.2.1, allowing attackers to inject malicious scripts.
If you are using Perfex CRM version 3.2.1, you are vulnerable to this XSS attack. Upgrade to 3.2.2 or later to mitigate the risk.
Upgrade Perfex CRM to version 3.2.2 or later. As a temporary workaround, implement input validation and output encoding on the 'description' field.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation.
Refer to the official Perfex CRM website and security advisories for the latest information and updates regarding CVE-2025-3219.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.