来源

关联漏洞

描述

CVE-2025-55903 — Stored HTML Injection in PerfexCRM < 3.3.1 (Invoice/Client Communication)

介绍

# CVE-2025-55903: Stored HTML Injection in PerfexCRM

> **⚠️ Security Advisory**  
> A critical Stored HTML Injection vulnerability affecting invoices, billing, and automated communications

[![CVE](https://img.shields.io/badge/CVE-2025--55903-red)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55903)
[![Severity](https://img.shields.io/badge/Severity-High-orange)]()
[![CVSS](https://img.shields.io/badge/CVSS-8.1%20(High)-ff6600)]()

---

## 📋 Overview

A Stored HTML Injection vulnerability has been discovered in PerfexCRM that allows authenticated users to inject malicious HTML into invoice descriptions, billing addresses, and client notes. This injected content persists in the database and is automatically rendered in client-facing emails and PDF attachments, enabling large-scale phishing attacks, business email compromise, and potential malware delivery.

## 🎯 Affected Versions

- **Product:** PerfexCRM
- **Vulnerable Versions:** < 3.3.1
- **Fixed Version:** 3.3.1+

## 🔍 Vulnerability Details

| Attribute | Value |
|-----------|-------|
| **CVE ID** | CVE-2025-55903 |
| **Type** | Stored HTML Injection |
| **Attack Vector** | Network/Remote |
| **Authentication** | Required (Low Privilege) |
| **User Interaction** | None |
| **Severity** | HIGH |
| **CVSS v3.1** | 8.1 - High |
| **Discoverer** | Ajansha Shankar |

### Description

PerfexCRM fails to properly sanitize and encode HTML content in multiple user-editable fields. When authenticated users inject HTML payloads into invoice line item descriptions, billing address fields, or client notes, the content is stored in the database without adequate filtering. Subsequently, this malicious HTML is automatically rendered in client-facing emails and PDF attachments without proper escaping, leading to widespread distribution of phishing content and malware.

### Affected Components

- ✗ Invoice line items (description field)
- ✗ Billing address fields
- ✗ Client note fields
- ✗ Client statement generation module
- ✗ PDF attachments
- ✗ Automated email system (recurring invoices, reminders)

### Root Cause

- ❌ Insufficient input sanitization on invoice and billing fields
- ❌ Missing HTML output encoding in email templates and PDF generation
- ❌ Lack of content validation before storing in database
- ❌ No restrictions on HTML/JavaScript in client communications

## 💥 Impact

### Security Implications

- **🎣 Phishing Attacks:** Injected content can impersonate legitimate communications and redirect users to attacker-controlled sites
- **💼 Business Email Compromise:** Malicious invoices sent to multiple clients appear to come from trusted source
- **🦠 Malware Distribution:** Embedded malicious links or iframes can deliver malware via email/PDF
- **👥 Large-Scale Attack:** Recurring invoices automatically distribute payload to multiple recipients without manual intervention
- **📊 Data Harvesting:** Phishing payloads can harvest credentials from multiple clients simultaneously

### CIA Triad Assessment

| Factor | Impact | Explanation |
|--------|--------|-------------|
| **Confidentiality** | 🔴 HIGH | Client credentials and sensitive data can be harvested via phishing |
| **Integrity** | 🔴 HIGH | Malicious content can modify perception of communications |
| **Availability** | 🟡 LOW | Limited direct impact on system availability |

### Real-World Attack Scenario

An attacker with low-privilege access creates an invoice with malicious HTML:

```html
<a href="https://attacker.com/fake-login">Click here to verify payment</a>
```

The invoice is sent to 50+ clients via automated email. All clients receive what appears to be a legitimate invoice directing them to a phishing site. The attacker harvests credentials from multiple victims simultaneously.

## 🧪 Proof of Concept

### Environment Setup
- Access to PerfexCRM admin panel with invoice creation permissions
- Any version prior to 3.3.1

### PoC Steps

#### Step 1: Access Invoice Creation
```
Navigate to: PerfexCRM Admin Dashboard → Invoices → Create New Invoice
```

#### Step 2: Inject HTML Payload in Description Field
```html
<a href="https://attacker.com">Click here to view invoice</a>
```

#### Step 3: Add Malicious Billing Address
```html
<a href="https://evil.com" target="_blank">
  <img src="https://media1.giphy.com/media/v1.Y2lkPTc5MGI3NjExbzg4OXRuZHd4MXF0bWNqa3BvN2pzbWdqMzRxZHc5bHJpbXpucHNtaSZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/9PgvV8ale90lQwfQTZ/giphy.gif">
</a>
```

#### Step 4: Add Styling Payload
```html
<h1><font color=red>Visit Our New WebSite</font></h1>
<h3><mark><a href="https://evil.com">https://www.paytm.com/</a></mark></h3>
```

#### Step 5: Generate Email/PDF
- Save the invoice
- System automatically sends via email to client
- Download PDF to verify HTML rendering

#### Step 6: Verify Attack
- Check client email inbox
- Open PDF attachment
- Observe malicious HTML rendered in both

### Expected Result
✅ Injected HTML renders in both email and PDF without escaping
✅ Links are clickable and redirect to attacker sites
✅ Images load from attacker-controlled servers
✅ Content persists across all future client communications

## 🛡️ Mitigation

### For End Users

1. **✅ Upgrade Immediately:** Update to PerfexCRM v3.3.1 or later
2. **🔍 Audit Invoices:** Review recent invoices for suspicious HTML content
3. **⚠️ Client Notification:** Alert clients if suspicious invoices were sent
4. **🔄 Credential Reset:** Recommend clients change passwords if they clicked links
5. **📝 Monitor Activity:** Check invoice audit logs for unauthorized modifications



## 📚 References

- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)
- [OWASP: Cross-site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)
- [OWASP: HTML Injection](https://owasp.org/www-community/attacks/HTML_Injection)
- [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html)
- [CVE-2025-55903 Official Entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-55903)


## 👤 Credits

**Discovered by:** Ajansha Shankar

## 📊 CVSS v3.1 Assessment

**Vector:** `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N`

**Score:** 8.1 (HIGH)

**Breakdown:**
- **Attack Vector (AV:N):** Network - Can be exploited remotely
- **Attack Complexity (AC:L):** Low - No special conditions required
- **Privileges Required (PR:L):** Low - Requires authenticated user with basic privileges
- **User Interaction (UI:N):** None - No user interaction needed for attack to succeed
- **Scope (S:U):** Unchanged - Impact is limited to the vulnerable component
- **Confidentiality (C:H):** High - Potential credential theft via phishing
- **Integrity (I:H):** High - Malicious content can be injected and delivered
- **Availability (A:N):** None - No impact on system availability


**⭐ If this research was helpful, please consider starring this repository!**

**🔔 Stay updated:** Watch this repository for updates on this and future security research.

文件快照

 [4.0K]  /data/pocs/15ecd06db4f4a27769652189fc0ff72a97d90edf
└── [7.0K]  README.md

0 directories, 1 file

备注