An unauthenticated SQL injection flaw in Chanjet CRM 1.0 allows remote attackers to execute arbitrary SQL commands and compromise sensitive CRM data.

The vulnerability exists in the HTTP GET Request Handler within /tools/jxf_dump_systable.php. By providing a malicious payload in the 'gblOrgID' parameter, an unauthenticated attacker can execute unauthorized SQL queries.

The CVSS score of 7.3 highlights the high severity of this vulnerability. Successful exploitation could lead to the unauthorized extraction of customer data, lead information, and business intelligence, potentially resulting in severe financial and reputational damage.

Immediate Action: Apply the latest security updates provided by Chanjet to address the improper parameter sanitization.

Proactive Monitoring: Monitor for anomalous GET requests targeting the /tools/jxf_dump_systable.php file, specifically looking for SQL-related characters in the 'gblOrgID' field.

Compensating Controls: Restrict access to the /tools/ directory via web server configuration (e.g., .htaccess or Nginx allow/deny rules) to prevent unauthorized access to administrative utility files.

Public Exploit Available: true

Immediate remediation is required to secure the CRM environment. Organizations should restrict network access to sensitive management scripts and apply all vendor-supplied patches to eliminate the underlying vulnerability.