CVE-2026-7783
SQL Injection in Perfex CRM
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codecanyon | perfex_crm | to 3.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw found in CodeCanyon Perfex CRM up to version 3.4.1. It affects the function AbstractKanban::applySortQuery located in the file application/services/AbstractKanban.php within the Admin Kanban Endpoint component. The flaw allows manipulation of an argument which leads to SQL injection. This means an attacker can remotely exploit this vulnerability to execute unauthorized SQL commands on the database.
How can this vulnerability impact me? :
The vulnerability can allow a remote attacker to perform SQL injection attacks, potentially leading to unauthorized access, modification, or deletion of data within the affected system. This can compromise the confidentiality, integrity, and availability of the data managed by the Perfex CRM application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to read the entire database, including sensitive client and project data, as well as bcrypt-wrapped password hashes. Such unauthorized access to personal and sensitive information can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal data.
The exposure of sensitive data through SQL injection can result in non-compliance with these standards, potentially leading to legal penalties, loss of trust, and the requirement to notify affected individuals and authorities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `sort_by` parameter in the kanban-related endpoints for blind time-based SQL injection. An attacker can inject SQL commands such as the SLEEP function to observe response delays, confirming the vulnerability.
A common detection method involves sending specially crafted requests to the affected endpoints and measuring response times to detect time-based SQL injection.
- Use curl or similar tools to send requests with payloads like: ?sort_by=column_name,SLEEP(5)-- to the kanban endpoints (leads, proposals, estimates, tasks).
- Example command: curl -i 'http://target/perfexcrm/admin/kanban/leads?sort_by=id,SLEEP(5)--'
- Observe if the response time is significantly delayed (e.g., by 5 seconds), indicating the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying a fix that whitelists sortable columns in the `applySortQuery` method and removing the unsafe usage of the `order_by` parameter to prevent direct injection.
Until a patch is applied, restrict access to the affected endpoints and monitor for suspicious activity, especially from staff accounts with minimal permissions.
- Update Perfex CRM to a version where this vulnerability is fixed.
- Implement input validation and sanitization on the `sort_by` parameter.
- Limit staff account permissions and monitor logs for unusual queries or delays.