PT-2025-43900 · Perx · Customer Engagement & Loyalty Platform
Published
2025-10-27
·
Updated
2025-10-27
·
CVE-2025-11682
CVSS v4.0
7.1
High
| Vector | AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Perx Customer Engagement & Loyalty Platform versions prior to 4.617.4
Description
A stored cross-site scripting (XSS) issue exists in the LMT Dashboard of the Perx Customer Engagement & Loyalty Platform. This allows an authenticated attacker to execute arbitrary JavaScript code in a victim’s browser. The issue is caused by insufficient sanitization of SVG file uploads. An attacker can upload a malicious SVG file containing a script payload to a campaign. When another user views this image on the public LMT microsite, the script executes, potentially leading to session hijacking or data theft. The vulnerability involves uploading a malicious SVG file, which then executes a script when viewed.
Recommendations
Versions prior to 4.617.4 should be updated.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Customer Engagement & Loyalty Platform