CVE-2025-60374 is a stored Cross-Site Scripting (XSS) vulnerability identified in the chatbot component of Perfex CRM versions before 3.3.1. Stored XSS occurs when malicious input is saved on the server and later rendered in users' browsers without proper sanitization or encoding. In this case, attackers can inject arbitrary HTML or JavaScript code into the chatbot messages, which is then executed in the context of any user viewing the chat interface. This enables client-side code execution, potentially allowing attackers to steal session tokens, perform actions on behalf of the user, or deliver further malicious payloads such as keyloggers or phishing content. The vulnerability is distinct from previously known issues like CVE-2024-8867, indicating a separate flaw in input handling. Although no public exploits are currently known, the risk remains significant due to the nature of stored XSS and its impact on confidentiality and integrity. The lack of a CVSS score suggests the vulnerability is newly published and pending further evaluation. Perfex CRM is a customer relationship management platform used by small to medium enterprises, and the chatbot feature is often used for customer interaction and support, making this an attractive attack vector for adversaries targeting business communications.

For European organizations, this vulnerability could lead to unauthorized access to user sessions, data theft, and compromise of internal communications if the chatbot is used for sensitive interactions. Attackers exploiting this flaw could impersonate legitimate users, escalate privileges, or spread malware within the organization. The impact is particularly severe for sectors relying heavily on CRM systems for customer data management, such as finance, healthcare, and professional services. Additionally, compromised session tokens could lead to broader network access if single sign-on or integrated authentication mechanisms are in place. The stored nature of the XSS means that multiple users can be affected over time, increasing the attack surface. Given the widespread use of web-based CRM tools in Europe, the vulnerability poses a significant risk to data confidentiality and integrity, potentially leading to regulatory compliance issues under GDPR if personal data is exposed or mishandled.

The primary mitigation is to upgrade Perfex CRM to version 3.3.1 or later, where this vulnerability has been addressed. Organizations should also implement strict input validation and output encoding on all chatbot inputs to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly audit and sanitize stored chat data to remove any malicious payloads. Limit chatbot access to authenticated and authorized users only, reducing exposure. Conduct security awareness training for users to recognize suspicious chatbot behavior. Additionally, monitor logs for unusual activity related to chatbot interactions and implement web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the chatbot endpoints. Finally, ensure session management follows best practices, such as using HttpOnly and Secure flags on cookies to mitigate token theft.