Lang Khuong Duy

**Name of the Vulnerable Software and Affected Versions** Perfex Crm versions prior to 3.2.1 **Description** The issue allows an authenticated attacker to send a crafted HTTP POST request to the "upload sales file" endpoint. By providing malicious input in the `rel id` parameter, combined with improper input validation, the attacker can bypass restrictions and upload arbitrary files to directories of their choice, potentially leading to remote code execution or server compromise. **Recommendations** For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "upload sales file" endpoint or disabling the ability to upload files through this endpoint until a patch is applied. Avoid using the `rel id` parameter in the affected endpoint until the issue is resolved.