Ajansha Shankar

**Name of the Vulnerable Software and Affected Versions** Perfex CRM version 3.3.1 **Description** The application does not properly sanitize user input in the "Bill To" address field within the estimate module. This allows for the injection of arbitrary HTML that is rendered without escaping in client-facing documents. The vulnerable parameter is the "Bill To" address field. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider sanitizing user input for the "Bill To" address field within the estimate module.

**Name of the Vulnerable Software and Affected Versions** Perfex CRM versions prior to 3.3.1 **Description** The authentication process in Perfex CRM has a flaw where server-side validation is inadequate. This allows attackers to bypass normal login procedures by submitting empty values for the `username` and `password` parameters in a login request. Successful exploitation grants unauthorized access to user accounts, potentially including administrative accounts. **Recommendations** Update Perfex CRM to version 3.3.1 or later.