जमा करें #858044: 1Panel-dev CordysCRM 1.4.1 Server-Side Request Forgeryजानकारी

शीर्षक1Panel-dev CordysCRM 1.4.1 Server-Side Request Forgery
विवरणThe IntegrationConfigService component in CordysCRM v1.4.1 contains a Server-Side Request Forgery (SSRF) vulnerability. This vulnerability stems from the lack of input validation on the mkAddress parameter in the /organization/settings/third-party/test endpoint when processing SQLBOT configuration test requests. The parameter is directly concatenated into a URL and used to make HTTP requests without whitelist validation, protocol restriction, or internal IP blocking. This endpoint requires lower privileges (SYSTEM_SETTING_READ), expanding the attack surface. Attackers can craft malicious mkAddress values to force the server to make requests to arbitrary external addresses.
स्रोत⚠️ https://github.com/1Panel-dev/CordysCRM/issues/2686
उपयोगकर्ता
 liushaozhe (UID 83234)
सबमिशन13/06/2026 07:38 PM (1 महीना पहले)
संयम18/07/2026 02:11 PM (1 month later)
स्थितिप्रतिलिपि
VulDB प्रविष्टि380044 [1Panel-dev CordysCRM तक 1.4.1 Third Party Endpoint TokenService.java mkAddress अधिकार वृद्धि]
अंक0

Do you need the next level of professionalism?

Upgrade your account now!