Perfex CRM Chatbot Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the chatbot feature of Perfex CRM, affecting versions prior to 3.3.1. This vulnerability allows attackers to inject arbitrary HTML and JavaScript, which is executed in the browsers of users viewing the chat. The issue arises from insufficient input validation and output encoding of chatbot messages, enabling the execution of client-side scripts. Additionally, session cookies are not marked as HttpOnly, increasing the risk of session token theft.

Impact

Exploitation of this vulnerability allows for session hijacking, account takeover, and, if an administrator views a malicious message, privilege escalation by compromising an admin account. The vulnerability also enables data exfiltration of sensitive information accessible in the user's browser context and could be used for phishing attacks by modifying page content and redirecting users.

Reproduction

To reproduce this vulnerability, send a message through the Perfex CRM chatbot that includes malicious HTML or JavaScript. Once the message is sent, the injected script will execute in the browsers of users who view the chat. This can be demonstrated by using a payload that, for example, steals session cookies and sends them to an attacker-controlled server.

Remediation

Users should upgrade to Perfex CRM version 3.3.1 or later. After updating, review the chatbot history for any suspicious content, reset user sessions, and monitor logs for unusual activity. Developers should implement input sanitization and output encoding, establish a Content Security Policy, mark cookies as HttpOnly, and use an input validation library to clean HTML before storage.