CVE-2024-56908

Name of the Vulnerable Software and Affected Versions Perfex Crm versions prior to 3.2.1

Description The issue allows an authenticated attacker to send a crafted HTTP POST request to the "upload sales file" endpoint. By providing malicious input in the rel id parameter, combined with improper input validation, the attacker can bypass restrictions and upload arbitrary files to directories of their choice, potentially leading to remote code execution or server compromise.

Recommendations For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "upload sales file" endpoint or disabling the ability to upload files through this endpoint until a patch is applied. Avoid using the rel id parameter in the affected endpoint until the issue is resolved.