VYPR

Perfex

by Perfexcrm

CVEs (9)

  • CVE-2017-17976CriJan 26, 2018
    risk 0.68cvss 9.8epss 0.13

    In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution.

  • CVE-2025-55903HigOct 10, 2025
    risk 0.54cvss 8.3epss 0.00

    A HTML injection vulnerability exists in Perfex CRM v3.3.1. The application fails to sanitize user input in the "Bill To" address field within the estimate module. As a result, arbitrary HTML can be injected and rendered unescaped in client-facing documents.

  • CVE-2024-56908MedFeb 13, 2025
    risk 0.44cvss 6.8epss 0.01

    In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. By providing malicious input in the rel_id parameter, combined with improper input validation, the attacker can bypass restrictions and upload…

  • CVE-2024-44851MedSep 11, 2024
    risk 0.35cvss 5.4epss 0.00

    A stored cross-site scripting (XSS) vulnerability in the Discussion section of Perfex CRM v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter.

  • CVE-2021-40303MedNov 8, 2022
    risk 0.35cvss 5.4epss 0.01

    perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile.

  • CVE-2020-28961MedOct 22, 2021
    risk 0.35cvss 5.4epss 0.01

    Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter.

  • CVE-2025-3219LowApr 4, 2025
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in CodeCanyon Perfex CRM 3.2.1. It has been classified as problematic. Affected is an unknown function of the file /perfex/clients/project/2 of the component Project Discussions Module. The manipulation of the argument description leads to cross site…

  • CVE-2024-8867LowSep 15, 2024
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in Perfex CRM 3.1.6. It has been declared as problematic. This vulnerability affects unknown code of the file application/controllers/Clients.php of the component Parameter Handler. The manipulation of the argument message leads to cross site scripting.…

  • CVE-2025-10346Sep 29, 2025
    risk 0.00cvss epss 0.00

    HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'subject' at the endpoint 'knoewledge_base/article'.