| शीर्षक | 1Panel-dev CordysCRM 1.4.1 Server-Side Request Forgery |
|---|
| विवरण | The IntegrationConfigService component in CordysCRM v1.4.1 contains a Server-Side Request Forgery (SSRF) vulnerability. This vulnerability stems from the getSqlBotSrc() method extracting URLs from the appSecret parameter using regex pattern without proper validation in the /organization/settings/third-party/test endpoint. Extracted URLs are directly used to create HTTP connections without whitelist validation, protocol restriction, or internal IP blocking. This endpoint requires lower privileges (SYSTEM_SETTING_READ), expanding the attack surface. Attackers can inject malicious URLs via the appSecret parameter. |
|---|
| स्रोत | ⚠️ https://github.com/1Panel-dev/CordysCRM/issues/2688 |
|---|
| उपयोगकर्ता | liushaozhe (UID 83234) |
|---|
| सबमिशन | 13/06/2026 07:40 PM (1 महीना पहले) |
|---|
| संयम | 18/07/2026 02:11 PM (1 month later) |
|---|
| स्थिति | प्रतिलिपि |
|---|
| VulDB प्रविष्टि | 380045 [1Panel-dev CordysCRM तक 1.4.1 Third Party Edit Endpoint IntegrationConfigService.java getSqlBotSrc appSecret अधिकार वृद्धि] |
|---|
| अंक | 0 |
|---|