Gửi #858043: 1Panel-dev CordysCRM 1.4.1 Server-Side Request Forgerythông tin

tiêu đề1Panel-dev CordysCRM 1.4.1 Server-Side Request Forgery
Mô tảThe IntegrationConfigService component in CordysCRM v1.4.1 contains a Server-Side Request Forgery (SSRF) vulnerability. This vulnerability stems from the lack of input validation on the mkAddress parameter in the /organization/settings/third-party/edit endpoint when processing MAXKB configuration requests. The parameter is directly concatenated into a URL and used to make HTTP requests without whitelist validation, protocol restriction, or internal IP blocking. Attackers can craft malicious mkAddress values to force the server to make requests to arbitrary external addresses, potentially leading to internal network reconnaissance or data leakage.
Nguồn⚠️ https://github.com/1Panel-dev/CordysCRM/issues/2685
Người dùng
 liushaozhe (UID 83234)
Đệ trình13/06/2026 19:36 (cách đây 1 tháng)
Kiểm duyệt18/07/2026 14:11 (1 month later)
Trạng tháiđược chấp nhận
Mục VulDB380044 [1Panel-dev CordysCRM đến 1.4.1 Third Party Endpoint TokenService.java mkAddress nâng cao đặc quyền]
điểm20

Do you know our Splunk app?

Download it now for free!