Description
A vulnerability was identified in Chanjet CRM 1.0. This affects an unknown part of the file /tools/jxf_dump_systable.php of the component HTTP GET Request Handler. Such manipulation of the argument gblOrgID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-07
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Chanjet CRM has a flaw in the HTTP GET Request handler for /tools/jxf_dump_systable.php. An attacker can control the gblOrgID argument and inject arbitrary SQL. Exploitation would allow unauthorized database access, potentially exposing or modifying sensitive data. The weakness is a classic injection vulnerability, reflected in the CWE-74 and SQL injection descriptor CWE-89.

Affected Systems

The flaw exists in Chanjet CRM version 1.0. No other versions or components are listed as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is not reported, so the exact exploitation probability is unknown, but the vulnerability is publicly documented and an exploit is available. Because the attack can be launched remotely over HTTP, the potential impact is significant. The vulnerability is not present in CISA’s KEV catalog.

Generated by OpenCVE AI on June 7, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Chanjet CRM once it is available.
  • If an immediate upgrade is not feasible, limit access to /tools/jxf_dump_systable.php by firewall or IP whitelisting so only trusted hosts can reach the endpoint.
  • Modify the application to enforce strict parameter validation for gblOrgID, rejecting non‑numeric values or using prepared statements to eliminate injection risk.

Generated by OpenCVE AI on June 7, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 07 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Chanjet CRM 1.0. This affects an unknown part of the file /tools/jxf_dump_systable.php of the component HTTP GET Request Handler. Such manipulation of the argument gblOrgID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Chanjet CRM HTTP GET Request jxf_dump_systable.php sql injection
First Time appeared Chanjet
Chanjet crm
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:chanjet:crm:*:*:*:*:*:*:*:*
Vendors & Products Chanjet
Chanjet crm
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Chanjet Crm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-07T07:15:07.511Z

Reserved: 2026-06-06T15:58:18.190Z

Link: CVE-2026-11456

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-07T09:16:21.673

Modified: 2026-06-07T09:16:21.673

Link: CVE-2026-11456

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T09:30:15Z

Weaknesses