जमा करें #858045: 1Panel-dev CordysCRM 1.4.1 Server-Side Request Forgeryजानकारी

शीर्षक1Panel-dev CordysCRM 1.4.1 Server-Side Request Forgery
विवरणThe IntegrationConfigService component in CordysCRM v1.4.1 contains a Server-Side Request Forgery (SSRF) vulnerability. This vulnerability stems from the getSqlBotSrc() method extracting URLs from the appSecret parameter using regex pattern without proper validation. Extracted URLs are directly used to create HTTP connections via URI.create(jsUrl).toURL().openConnection() in the /organization/settings/third-party/edit endpoint. No whitelist validation, protocol restriction, or internal IP blocking is applied. Attackers can inject malicious URLs via the appSecret parameter (e.g., appSecret": "src="<http://malicious\\>"").
स्रोत⚠️ https://github.com/1Panel-dev/CordysCRM/issues/2687
उपयोगकर्ता
 liushaozhe (UID 83234)
सबमिशन13/06/2026 07:39 PM (1 महीना पहले)
संयम18/07/2026 02:11 PM (1 month later)
स्थितिस्वीकृत
VulDB प्रविष्टि380045 [1Panel-dev CordysCRM तक 1.4.1 Third Party Edit Endpoint IntegrationConfigService.java getSqlBotSrc appSecret अधिकार वृद्धि]
अंक20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!