# Security Advisory — PerfexCRM Authentication Bypass (CVE-2025-60375, RESERVED)

**Advisory ID:** perfexcrm-auth-bypass-2025  
**CVE:** CVE-2025-60375 (RESERVED)  
**Product:** PerfexCRM  
**Affected versions:** versions prior to 3.3.1 (< 3.3.1)  
**Date discovered:** [replace with discovery date]  
**Reported by:** Ajansha Shankar, Ahamed Yaseen  
**References:** OWASP Authentication Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

---

## Summary
An authentication bypass exists in the admin login mechanism of PerfexCRM prior to version 3.3.1. The server's authentication workflow does not sufficiently validate the presence and contents of username/password parameters. An attacker who manipulates the login request to supply empty username and password parameters may be granted access to user accounts, including administrative accounts.

---

## Impact
- Unauthorized access to user accounts (including admin).  
- Potential full compromise of the application and sensitive data exposure.  
- Remote exploitation — attacker only needs the ability to send HTTP requests to the login endpoint.

---

## Technical details & reproduction
1. Intercept the POST request sent to the admin login endpoint (e.g., `/admin/auth/login`).  
2. Remove or set `username` and `password` fields to empty values in the request body.  
3. Forward the modified request. The server may respond with `419 Page expired` on refresh but will redirect to the dashboard and provide an authenticated session without valid credentials.

**Root cause (summary):** insufficient server-side validation and improper control flow that allows session or application logic to mark the request as authenticated even with missing credentials.

---

## Mitigation / Remediation
- Fix server-side authentication: reject requests missing username or password with an explicit 4xx error (e.g., 400/401).  
- Ensure session creation and privilege assignment only happen after successful credential verification.  
- Add unit and integration tests to validate behavior against empty/missing credential values.  
- Consider adding rate-limiting and monitoring for suspicious login attempts while fix is deployed.

---

## Suggested CVSS (example)
- CVSS v3.1 (example): **7.8 (High)** — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N  
> Note: This is an estimated vector for triage. Provide a precise CVSS vector after coordinated disclosure.

---

## Contact / Credit
- Reported by: Ajansha Shankar and Ahamed Yaseen