Description
A security vulnerability has been detected in DefaultFuction Jeson-Customer-Relationship-Management-System up to 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. This affects an unknown function of the file /api/System.php of the component API Module. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The identifier of the patch is f76e7123fe093b8675f88ec8f71725b0dd186310/98bd4eb07fa19d4f2c5228de6395580013c97476. It is suggested to install a patch to address this issue.
Published: 2026-03-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

A flaw in the DefaultFuction Jeson‑Customer‑Relationship‑Management‑System API Module allows remote actors to manipulate the url parameter in /api/System.php, causing the server to issue arbitrary outbound HTTP requests. This server‑side request forgery can expose internal resources, exfiltrate information, or trigger unintended actions within the network. The weakness is a classic SSRF scenario (CWE‑918).

Affected Systems

The vulnerability affects the DefaultFuction Jeson‑Customer‑Relationship‑Management‑System. No precise version numbers are available because the product uses rolling releases; all code up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00 is impacted. The patch is identified by the commit hash f76e7123fe093b8675f88ec8f71725b0dd186310/98bd4eb07fa19d4f2c5228de6395580013c97476.

Risk and Exploitability

With a CVSS score of 6.9 the flaw carries medium to high severity. The exploit is publicly disclosed and can be launched remotely by supplying a crafted url argument. EPSS information is not available and the vulnerability is not listed in CISA’s KEV catalog, yet the remote nature and lack of a validation guard make it a credible threat worth addressing promptly. Systems that can reach external networks from the API endpoint are at greatest risk.

Generated by OpenCVE AI on March 24, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the application to the patched commit f76e7123fe093b8675f88ec8f71725b0dd186310/98bd4eb07fa19d4f2c5228de6395580013c97476, or mirror the newest release that incorporates the fix.

Generated by OpenCVE AI on March 24, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Defaultfuction
Defaultfuction jeson Customer Relationship Management System
Vendors & Products Defaultfuction
Defaultfuction jeson Customer Relationship Management System

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in DefaultFuction Jeson-Customer-Relationship-Management-System up to 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. This affects an unknown function of the file /api/System.php of the component API Module. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The identifier of the patch is f76e7123fe093b8675f88ec8f71725b0dd186310/98bd4eb07fa19d4f2c5228de6395580013c97476. It is suggested to install a patch to address this issue.
Title DefaultFuction Jeson-Customer-Relationship-Management-System API Module System.php server-side request forgery
Weaknesses CWE-918
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Defaultfuction Jeson Customer Relationship Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-24T15:12:29.310Z

Reserved: 2026-03-23T06:08:02.864Z

Link: CVE-2026-4623

cve-icon Vulnrichment

Updated: 2026-03-24T14:11:59.290Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T03:16:06.660

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-4623

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:40:29Z

Weaknesses