CodeCanyon Perfex CRM Stored Cross-Site Scripting Vulnerability in Project Discussions Module

A stored cross-site scripting vulnerability has been identified in CodeCanyon Perfex CRM version 3.2.1, specifically within the Project Discussions Module. This issue allows authenticated users to inject malicious JavaScript into discussion descriptions, which is executed when other users view the discussion. The vulnerability could lead to session hijacking, phishing attacks, and complete account compromise.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed automatically when an admin views the affected discussion. This could lead to stealing admin session cookies, hijacking the admin account, or executing a keylogger to capture admin input.

Reproduction

To reproduce this vulnerability, log into Perfex CRM and navigate to a project discussion tab. Create a new discussion and inject a script payload, such as an image tag with an 'onerror' event, into the description field. Once posted, the injected script will execute when any user, including admins, views the discussion.