CordysCRM 1.4.1 is affected by a critical SQL Injection vulnerability that allows attackers to manipulate database queries and gain unauthorized access to sensitive employee information.

The vulnerability exists in the /user/list endpoint where the departmentIds parameter is not properly sanitized before being used in an SQL query. This allows an attacker to inject malicious SQL commands to bypass authentication or extract data from the CRM database.

The exposure of employee data and CRM records poses a significant privacy risk and potential compliance violation (e.g., GDPR). With a CVSS score of 9.8, this critical flaw could allow an attacker to gain administrative access to the CRM, leading to the total compromise of corporate human resources and client relationship data.

Immediate Action: Update CordysCRM to the latest version immediately to address the insecure handling of the departmentIds parameter.

Proactive Monitoring: Review web server and database logs for suspicious activity targeting the /user/list path, specifically looking for SQL keywords in URL parameters.

Compensating Controls: Implement strict input validation and use a Web Application Firewall (WAF) to detect and block SQL injection patterns in incoming HTTP requests.

Public Exploit Available: No

Immediate remediation is required to protect sensitive corporate data. Administrators should prioritize patching CordysCRM and conduct a thorough audit of database access logs to ensure that no unauthorized data extraction has occurred prior to the update.