CVE-2025-60374
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-14

Last updated on: 2025-10-16

Assigner: MITRE

Description
Stored Cross-Site Scripting (XSS) in Perfex CRM chatbot before 3.3.1 allows attackers to inject arbitrary HTML/JavaScript. The payload is executed in the browsers of users viewing the chat, resulting in client-side code execution, potential session token theft, and other malicious actions. A different vulnerability than CVE-2024-8867.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-14
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-60374
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
perfex crm *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60374 is a Stored Cross-Site Scripting (XSS) vulnerability in the chatbot feature of Perfex CRM versions before 3.3.1. It occurs because the chatbot does not properly validate or encode user input in chat messages, allowing attackers to inject malicious HTML or JavaScript code. This code is stored on the server and executed in the browsers of users who view the chat, enabling client-side code execution and potentially harmful actions like stealing session tokens. [1]

Impact Analysis

This vulnerability can lead to session token theft, allowing attackers to hijack user sessions and take over accounts, including administrator accounts. It can also enable privilege escalation, data exfiltration, phishing attacks by modifying page content or redirecting users, and other malicious actions executed in the victim's browser. The confidentiality and integrity of data are highly impacted, while availability impact is low. [1]

Detection Guidance

Detection involves auditing chatbot messages for malicious HTML or JavaScript content that could indicate stored XSS payloads. Monitoring logs for suspicious activity related to chatbot usage is also recommended. Specific commands are not provided, but reviewing chat message data for injected scripts or unusual tags (e.g., <img onerror=...>, <iframe>, event handlers like onmouseover) can help identify exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Perfex CRM to version 3.3.1 or later, auditing and cleaning chatbot messages to remove malicious content, resetting user sessions to invalidate potentially compromised tokens, and monitoring logs for suspicious activity. Developers should also implement proper input sanitization and output encoding, enforce a strict Content Security Policy, and mark cookies as HttpOnly, Secure, and SameSite=Strict. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60374. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart