Perfexcrm
Products
3- 7 CVEs
- 3 CVEs
- 1 CVE
Recent CVEs
9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17976 | Cri | 0.68 | 9.8 | 0.13 | Jan 26, 2018 | In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution. | ||
| CVE-2025-55903 | Hig | 0.54 | 8.3 | 0.00 | Oct 10, 2025 | A HTML injection vulnerability exists in Perfex CRM v3.3.1. The application fails to sanitize user input in the "Bill To" address field within the estimate module. As a result, arbitrary HTML can be injected and rendered unescaped in client-facing documents. | ||
| CVE-2024-56908 | Med | 0.44 | 6.8 | 0.01 | Feb 13, 2025 | In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. By providing malicious input in the rel_id parameter, combined with improper input validation, the attacker can bypass restrictions and upload… | ||
| CVE-2026-7782 | Med | 0.41 | 6.3 | 0.00 | May 4, 2026 | A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be… | ||
| CVE-2025-10346 | 0.00 | — | 0.00 | Sep 29, 2025 | HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'subject' at the endpoint 'knoewledge_base/article'. | |||
| CVE-2024-8867 | 0.00 | — | 0.00 | Sep 15, 2024 | A vulnerability was found in Perfex CRM 3.1.6. It has been declared as problematic. This vulnerability affects unknown code of the file application/controllers/Clients.php of the component Parameter Handler. The manipulation of the argument message leads to cross site scripting.… | |||
| CVE-2024-44851 | 0.00 | — | 0.00 | Sep 11, 2024 | A stored cross-site scripting (XSS) vulnerability in the Discussion section of Perfex CRM v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter. | |||
| CVE-2021-40303 | 0.00 | — | 0.01 | Nov 8, 2022 | perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile. | |||
| CVE-2020-28961 | 0.00 | — | 0.01 | Oct 22, 2021 | Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter. |
- risk 0.68cvss 9.8epss 0.13
In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lead to remote code execution.
- risk 0.54cvss 8.3epss 0.00
A HTML injection vulnerability exists in Perfex CRM v3.3.1. The application fails to sanitize user input in the "Bill To" address field within the estimate module. As a result, arbitrary HTML can be injected and rendered unescaped in client-facing documents.
- risk 0.44cvss 6.8epss 0.01
In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. By providing malicious input in the rel_id parameter, combined with improper input validation, the attacker can bypass restrictions and upload…
- risk 0.41cvss 6.3epss 0.00
A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be…
- CVE-2025-10346Sep 29, 2025risk 0.00cvss —epss 0.00
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'subject' at the endpoint 'knoewledge_base/article'.
- CVE-2024-8867Sep 15, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in Perfex CRM 3.1.6. It has been declared as problematic. This vulnerability affects unknown code of the file application/controllers/Clients.php of the component Parameter Handler. The manipulation of the argument message leads to cross site scripting.…
- CVE-2024-44851Sep 11, 2024risk 0.00cvss —epss 0.00
A stored cross-site scripting (XSS) vulnerability in the Discussion section of Perfex CRM v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content parameter.
- CVE-2021-40303Nov 8, 2022risk 0.00cvss —epss 0.01
perfex crm 1.10 is vulnerable to Cross Site Scripting (XSS) via /clients/profile.
- CVE-2020-28961Oct 22, 2021risk 0.00cvss —epss 0.01
Perfex CRM v2.4.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component ./clients/client via the company name parameter.