Plattform
php
Komponente
jeson-customer-relationship-management-system
A server-side request forgery (SSRF) vulnerability has been identified in the Jeson-Customer-Relationship-Management-System API Module. This flaw allows attackers to manipulate internal requests, potentially leading to unauthorized access to sensitive data or systems. The vulnerability affects versions up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. A patch (f76e7123f) is available to address this issue.
The SSRF vulnerability in Jeson-Customer-Relationship-Management-System allows an attacker to craft malicious requests through the 'url' parameter within the /api/System.php endpoint. Successful exploitation enables the attacker to make the server initiate requests to arbitrary internal or external resources. This could expose internal services, read sensitive configuration files, or even potentially interact with other internal systems. Given the continuous delivery model, the blast radius extends to any internal resource accessible from the API server. The ability to trigger arbitrary requests makes this a significant risk, potentially leading to data breaches or complete system compromise.
This vulnerability has been publicly disclosed. The exploit is known and potentially accessible to a wide range of attackers. While no specific campaigns or KEV listing are currently available, the SSRF nature of the vulnerability makes it a high-priority target. The public disclosure increases the likelihood of exploitation attempts, especially given the lack of specific versioning information and the potential for easy exploitation.
Organizations utilizing Jeson-Customer-Relationship-Management-System, particularly those with internal services accessible from the API server, are at risk. Environments with weak network segmentation or overly permissive firewall rules are especially vulnerable. Shared hosting environments where multiple customers share the same server instance also face increased risk.
• php / server:
grep -r 'url=' /var/www/jeson-customer-relationship-management-system/api/System.php• generic web:
curl -I http://your-jeson-crm-api/api/System.php?url=http://internal-service• generic web:
# Check access logs for unusual outbound requests
grep 'internal-service' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
Due to the continuous delivery model of Jeson-Customer-Relationship-Management-System, specific version numbers are not available for affected or patched releases. The recommended mitigation is to immediately apply the provided patch: f76e7123f. If applying the patch directly is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious URLs or patterns. Restrict network access to the Jeson-Customer-Relationship-Management-System API server to only necessary internal resources. Monitor API logs for unusual outbound requests originating from the /api/System.php endpoint. After applying the patch, confirm remediation by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or handled safely.
Es wird empfohlen, den Patch f76e7123fe093b8675f88ec8f71725b0dd186310/98bd4eb07fa19d4f2c5228de6395580013c97476 zu installieren, um die Server-Side Request Forgery (SSRF)-Vulnerabilität im API-Modul des CRM-Systems zu beheben. Aufgrund fehlender Informationen über betroffene und korrigierte Versionen wird empfohlen, den Patch so bald wie möglich anzuwenden. Weitere Details zur Vulnerabilität und zum Patch finden Sie in den bereitgestellten Referenzen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4623 is a HIGH severity SSRF vulnerability affecting the Jeson-Customer-Relationship-Management-System API Module, allowing attackers to manipulate internal requests.
If you are using Jeson-Customer-Relationship-Management-System API Module up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00, you are potentially affected.
Apply the patch f76e7123f. Consider WAF rules and network restrictions as interim mitigations.
The vulnerability has been publicly disclosed and is potentially being exploited, given its ease of exploitation.
Refer to the Jeson-Customer-Relationship-Management-System documentation and release notes for the latest advisory regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.