CVE-2025-60374
BaseFortify
Publication date: 2025-10-14
Last updated on: 2025-10-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| perfex | crm | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-60374 is a Stored Cross-Site Scripting (XSS) vulnerability in the chatbot feature of Perfex CRM versions before 3.3.1. It occurs because the chatbot does not properly validate or encode user input in chat messages, allowing attackers to inject malicious HTML or JavaScript code. This code is stored on the server and executed in the browsers of users who view the chat, enabling client-side code execution and potentially harmful actions like stealing session tokens. [1]
How can this vulnerability impact me? :
This vulnerability can lead to session token theft, allowing attackers to hijack user sessions and take over accounts, including administrator accounts. It can also enable privilege escalation, data exfiltration, phishing attacks by modifying page content or redirecting users, and other malicious actions executed in the victim's browser. The confidentiality and integrity of data are highly impacted, while availability impact is low. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves auditing chatbot messages for malicious HTML or JavaScript content that could indicate stored XSS payloads. Monitoring logs for suspicious activity related to chatbot usage is also recommended. Specific commands are not provided, but reviewing chat message data for injected scripts or unusual tags (e.g., <img onerror=...>, <iframe>, event handlers like onmouseover) can help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Perfex CRM to version 3.3.1 or later, auditing and cleaning chatbot messages to remove malicious content, resetting user sessions to invalidate potentially compromised tokens, and monitoring logs for suspicious activity. Developers should also implement proper input sanitization and output encoding, enforce a strict Content Security Policy, and mark cookies as HttpOnly, Secure, and SameSite=Strict. [1]