Perfex
by Perfexcrm
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17976 | Cri | 0.68 | 9.8 | 0.13 | Jan 26, 2018 | In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution. | ||
| CVE-2025-55903 | Hig | 0.54 | 8.3 | 0.00 | Oct 10, 2025 | A HTML injection vulnerability exists in Perfex CRM v3.3.1. The application fails to sanitize user input in the "Bill To" address field within the estimate module. As a result, arbitrary HTML can be injected and rendered unescaped in client-facing documents. | ||
| CVE-2024-56908 | Med | 0.44 | 6.8 | 0.01 | Feb 13, 2025 | In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. By providing malicious input in the rel_id parameter, combined with improper input validation, the attacker can bypass restrictions and upload… | ||
| CVE-2024-44851 | Med | 0.35 | 5.4 | 0.00 | Sep 11, 2024 | A stored cross-site scripting (XSS) vulnerability in the Discussion section of Perfex CRM v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter. | ||
| CVE-2021-40303 | Med | 0.35 | 5.4 | 0.01 | Nov 8, 2022 | perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile. | ||
| CVE-2020-28961 | Med | 0.35 | 5.4 | 0.01 | Oct 22, 2021 | Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter. | ||
| CVE-2025-3219 | Low | 0.23 | 3.5 | 0.00 | Apr 4, 2025 | A vulnerability was found in CodeCanyon Perfex CRM 3.2.1. It has been classified as problematic. Affected is an unknown function of the file /perfex/clients/project/2 of the component Project Discussions Module. The manipulation of the argument description leads to cross site… | ||
| CVE-2024-8867 | Low | 0.23 | 3.5 | 0.00 | Sep 15, 2024 | A vulnerability was found in Perfex CRM 3.1.6. It has been declared as problematic. This vulnerability affects unknown code of the file application/controllers/Clients.php of the component Parameter Handler. The manipulation of the argument message leads to cross site scripting.… | ||
| CVE-2025-10346 | 0.00 | — | 0.00 | Sep 29, 2025 | HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'subject' at the endpoint 'knoewledge_base/article'. |
- risk 0.68cvss 9.8epss 0.13
In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution.
- risk 0.54cvss 8.3epss 0.00
A HTML injection vulnerability exists in Perfex CRM v3.3.1. The application fails to sanitize user input in the "Bill To" address field within the estimate module. As a result, arbitrary HTML can be injected and rendered unescaped in client-facing documents.
- risk 0.44cvss 6.8epss 0.01
In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. By providing malicious input in the rel_id parameter, combined with improper input validation, the attacker can bypass restrictions and upload…
- risk 0.35cvss 5.4epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Discussion section of Perfex CRM v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter.
- risk 0.35cvss 5.4epss 0.01
perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile.
- risk 0.35cvss 5.4epss 0.01
Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter.
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in CodeCanyon Perfex CRM 3.2.1. It has been classified as problematic. Affected is an unknown function of the file /perfex/clients/project/2 of the component Project Discussions Module. The manipulation of the argument description leads to cross site…
- risk 0.23cvss 3.5epss 0.00
A vulnerability was found in Perfex CRM 3.1.6. It has been declared as problematic. This vulnerability affects unknown code of the file application/controllers/Clients.php of the component Parameter Handler. The manipulation of the argument message leads to cross site scripting.…
- CVE-2025-10346Sep 29, 2025risk 0.00cvss —epss 0.00
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'subject' at the endpoint 'knoewledge_base/article'.