CVE-2025-60374 is a stored Cross-Site Scripting (XSS) vulnerability identified in the chatbot component of Perfex CRM versions before 3.3.1. Stored XSS occurs when malicious input is permanently saved by the application and later rendered in users' browsers without proper sanitization or encoding. In this case, attackers can inject arbitrary HTML or JavaScript payloads into the chatbot interface, which are then executed in the context of any user viewing the chat. This execution can lead to theft of session tokens, enabling account hijacking, or other malicious actions such as redirecting users to phishing sites or performing actions on behalf of the user. The vulnerability does not require the attacker to have any privileges (no authentication needed) but does require user interaction to trigger the payload. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The confidentiality and integrity impacts are low, while availability is unaffected. No public exploits have been reported yet, and no official patches are linked, but upgrading to Perfex CRM 3.3.1 or later is recommended. This vulnerability is distinct from CVE-2024-8867, indicating multiple security issues in the product.

For European organizations using Perfex CRM with the vulnerable chatbot component, this XSS vulnerability poses a risk of client-side code execution leading to session hijacking and potential unauthorized access to sensitive CRM data. Compromised sessions can result in data leakage, manipulation of customer records, or unauthorized actions within the CRM system. This can damage business operations, customer trust, and compliance with data protection regulations such as GDPR. The medium severity indicates a moderate risk, but the impact can be significant if exploited in environments with high-value data or critical business processes. Since the attack requires user interaction, social engineering or phishing campaigns targeting employees may be used to trigger the exploit. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread abuse occurs.

European organizations should immediately verify their Perfex CRM version and upgrade to version 3.3.1 or later where this vulnerability is fixed. In the absence of an official patch, applying input validation and output encoding on chatbot inputs and outputs can reduce risk. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Educate users to be cautious with unexpected chatbot messages and avoid clicking suspicious links. Monitor logs for unusual chatbot activity or injected scripts. Employ web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense. Regularly review and update CRM security configurations and conduct security assessments focusing on client-side vulnerabilities. Finally, maintain an incident response plan to quickly address any exploitation attempts.