HTML Injection Vulnerability in Perfex CRM by Perfex
CVE-2025-10342

5.3MEDIUM

Key Information:

Vendor: Perfex Crm
Status: Perfex Crm
Vendor: CVE Published:; 29 September 2025

What is CVE-2025-10342?

An HTML injection vulnerability exists in Perfex CRM v3.2.1, which allows for stored HTML injection through improper validation of user input. Specifically, when a POST request is sent to the '/subscriptions/create' endpoint with an input in the 'name' parameter, the application fails to adequately sanitize the data. This can lead to potential manipulation of web pages viewed by other users, exposing them to various security risks.

Affected Version(s)

Perfex CRM 3.2.1

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2025
Vulnerability Reserved
Sep 12, 2025

Credit

Gonzalo Aguilar García (6h4ack)

JSON

Perfex Crm

What is CVE-2025-10342?

Affected Version(s)

References

CVSS V4

Timeline

Credit