HTML Injection Vulnerability in Perfex CRM by Perfex
CVE-2025-10345

5.3MEDIUM

Key Information:

Vendor: Perfex Crm
Status: Perfex Crm
Vendor: CVE Published:; 29 September 2025

What is CVE-2025-10345?

An HTML injection vulnerability exists in Perfex CRM v3.2.1, enabling attackers to exploit the system through stored input. This issue arises due to inadequate validation of user input when parameters such as 'name' and 'address' are sent via a POST request to the 'admin/leads/lead' endpoint. As a result, malicious HTML content can be injected, potentially compromising the integrity and security of the application. It is crucial for users of Perfex CRM to review and strengthen their input validation mechanisms to mitigate this risk.

Affected Version(s)

Perfex CRM 3.2.1

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2025
Vulnerability Reserved
Sep 12, 2025

Credit

Gonzalo Aguilar García (6h4ack)

JSON

Perfex Crm

What is CVE-2025-10345?

Affected Version(s)

References

CVSS V4

Timeline

Credit