Perfex CRM Stored HTML Injection Vulnerability in Invoices and Client Communications

A stored HTML injection vulnerability has been identified in Perfex CRM versions prior to 3.3.1. The issue arises because the application does not properly sanitize user input in several fields, including invoice descriptions, billing addresses, and client notes. This lack of input validation allows authenticated users to inject arbitrary HTML, which is then saved in the database and rendered unescaped in client-facing emails and PDF documents. Consequently, this vulnerability could be exploited to conduct phishing attacks, compromise business email communications, and distribute malware.

Impact

Exploitation of this vulnerability allows for the injection of malicious HTML that can be used in phishing attacks, business email compromise schemes, and the distribution of malware. The injected content persists in the database and is automatically included in client communications, such as emails and PDF attachments.

Reproduction

To reproduce this vulnerability, an authenticated user with low privileges can inject HTML payloads into the 'Bill To' address field within the estimate module. After saving the estimate, the injected HTML will be rendered unescaped in client-facing documents, such as emails and PDFs.

Remediation

Users are advised to upgrade to Perfex CRM version 3.3.1 or later.