제출 #858046: 1Panel-dev CordysCRM 1.4.1 Server-Side Request Forgery정보

제목1Panel-dev CordysCRM 1.4.1 Server-Side Request Forgery
설명The IntegrationConfigService component in CordysCRM v1.4.1 contains a Server-Side Request Forgery (SSRF) vulnerability. This vulnerability stems from the getSqlBotSrc() method extracting URLs from the appSecret parameter using regex pattern without proper validation in the /organization/settings/third-party/test endpoint. Extracted URLs are directly used to create HTTP connections without whitelist validation, protocol restriction, or internal IP blocking. This endpoint requires lower privileges (SYSTEM_SETTING_READ), expanding the attack surface. Attackers can inject malicious URLs via the appSecret parameter.
원천⚠️ https://github.com/1Panel-dev/CordysCRM/issues/2688
사용자
 liushaozhe (UID 83234)
제출2026. 06. 13. PM 07:40 (1 월 ago)
모더레이션2026. 07. 18. PM 02:11 (1 month later)
상태중복
VulDB 항목380045 [1Panel-dev CordysCRM 까지 1.4.1 Third Party Edit Endpoint IntegrationConfigService.java getSqlBotSrc appSecret 권한 상승]
포인트들0

Want to stay up to date on a daily basis?

Enable the mail alert feature now!