CVE-2021-40303 - Cross Site Scripting Vulnerability Found in Perfex CRM 1.10

A Cross Site Scripting (XSS) vulnerability has been discovered in Perfex CRM version 1.10, which exposes its users and their sensitive information to potential attacks. This long-read post provides an in-depth analysis of this vulnerability identified as CVE-2021-40303, including code snippets, links to original references, and detailed exploit information.

CVE-2021-40303: XSS vulnerability in Perfex CRM 1.10

Perfex CRM is a powerful customer relationship management tool designed to help businesses manage their clients, projects, and tasks efficiently. However, security researchers have recently identified a critical vulnerability in Perfex CRM version 1.10. This vulnerability, designated as CVE-2021-40303, is a high-risk Cross Site Scripting (XSS) issue that threatens the data integrity and privacy of both individuals and companies using the platform.

Exploit Details

The vulnerability lies in the /clients/profile path, where the software fails to properly sanitize user input, thereby allowing the execution of malicious code by attackers. By exploiting this vulnerability, an attacker can steal sensitive client data, session cookies, and even perform actions on the web application with the victim's privileges.

The following code snippet demonstrates the vulnerable section of the Perfex CRM source code

	// clients/profile.php
	...
	if ($this->input->post('company')) {
	   $data['company'] = $this->input->post('company'); // Vulnerable to XSS
	}
	...
	echo json_encode($data);

As shown above, the user input in the 'company' field is not properly sanitized before being passed to the 'echo json_encode($data);' statement, which outputs the unsanitized data to the page. Consequently, attackers can inject malicious scripts by crafting user input containing JavaScript code.

Proof of Concept (PoC)

To exploit the vulnerability, an attacker can craft a POST request with malicious JavaScript code embedded in the 'company' field. Here's an example of a malicious POST request:

POST /clients/profile HTTP/1.1
Host: target_site.com
Content-Type: application/x-www-form-urlencoded
Content-Length: length

company=%3Cscript%3Ealert%28%27XSS%20Attack%27%29%3B%3C%2Fscript%3E

In this example, the URL-encoded JavaScript code %3Cscript%3Ealert%28%27XSS%20Attack%27%29%3B%3C%2Fscript%3E translates to <script>alert('XSS Attack');</script>. When a victim views the manipulated /clients/profile page, the injected script will execute, alerting 'XSS Attack'.

Mitigations

As a short-term solution, it is recommended to apply input validation and output filtering using secure coding practices to prevent the exploitation of this vulnerability. Users of Perfex CRM should also look out for any security patches provided by the vendor.

Additionally, implementing Content Security Policy (CSP) headers can offer an extra layer of security to mitigate against XSS attacks.

Original References

The vulnerability has been acknowledged by the Perfex CRM development team, and a fix is expected in their upcoming update. For more information on CVE-2021-40303, please refer to the following sources:

1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40303
2. NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-40303
3. Perfex CRM GitHub Repository: https://github.com/PerfexCRM/PerfexCRM

Conclusion

CVE-2021-40303 is a significant XSS vulnerability found in the popular Perfex CRM 1.10, which poses a serious risk to user privacy and data integrity. It is crucial for businesses and individuals utilizing Perfex CRM to stay informed about this vulnerability and proactively apply recommended mitigations while waiting for official patches from the vendor. Protecting user data and privacy should be of utmost priority for any business entity using customer relationship management software.

Timeline

Published on: 11/08/2022 18:15:00 UTC
Last modified on: 11/09/2022 03:00:00 UTC