CVE-2024-56908: Input Validation
First published: Thu Feb 13 2025(Updated: )
In Perfex Crm < 3.2.1, an authenticated attacker can send a crafted HTTP POST request to the affected upload_sales_file endpoint. By providing malicious input in the rel_id parameter, combined with improper input validation, the attacker can bypass restrictions and upload arbitrary files to directories of their choice, potentially leading to remote code execution or server compromise.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Perfex CRM | <3.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-56908?
CVE-2024-56908 is classified as a moderate severity vulnerability.
What are the effects of CVE-2024-56908?
CVE-2024-56908 allows an authenticated attacker to upload arbitrary files through the upload_sales_file endpoint.
How do I fix CVE-2024-56908?
To mitigate CVE-2024-56908, upgrade Perfex CRM to version 3.2.1 or later.
Which versions of Perfex CRM are affected by CVE-2024-56908?
CVE-2024-56908 affects Perfex CRM versions prior to 3.2.1.
What type of attack does CVE-2024-56908 enable?
CVE-2024-56908 enables arbitrary file upload attacks due to improper input validation.
- agent/references
- agent/author
- agent/description
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/first-publish-date
- agent/tags
- collector/nvd-api
- source/NVD
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/event
- vendor/perfex
- canonical/perfex crm