CVE-2026-10514
Cross-Site Scripting in 1Panel-dev CordysCRM
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1panel-dev | cordyscrm | to 1.6.2 (inc) |
| 1panel-dev | cordyscrm | 1.7.0 |
| 1panel-dev | cordyscrm | 1.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue found in 1Panel-dev CordysCRM versions up to 1.6.2. It affects a function in the file RequestParamTrimConfig.java, where improper handling of request parameters allows an attacker to inject malicious scripts. These scripts can be executed in the browsers of users interacting with the affected system. The vulnerability can be exploited remotely, and the exploit has been publicly disclosed.
The vulnerability was addressed by introducing configurable URL-based XSS filtering rather than a global escape, allowing specific endpoints to be protected against XSS attacks. This fix was implemented in version 1.7.0.
How can this vulnerability impact me? :
This Cross-Site Scripting (XSS) vulnerability can allow attackers to inject malicious scripts into the application, which then execute in the browsers of users who visit affected pages. This can lead to unauthorized actions performed on behalf of users, theft of sensitive information such as session tokens, or manipulation of the user interface.
Since the vulnerability can be exploited remotely, attackers do not need physical access to the system. The impact is limited to integrity (low severity) as per CVSS scores, but it can still compromise user trust and application security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying attempts to exploit Cross-Site Scripting (XSS) in the affected CordysCRM versions up to 1.6.2, particularly targeting endpoints that process user input without proper sanitization.
Since the vulnerability relates to specific URL patterns where XSS filtering was not applied, monitoring HTTP requests to these endpoints for suspicious payloads (e.g., JavaScript code or HTML tags like <img src=x onerror=...>) can help detect exploitation attempts.
Commands to detect such attempts could include using network monitoring tools or web server logs to search for typical XSS payloads in request parameters. For example, using grep on server logs:
- grep -i -E "<script|onerror=|<img|javascript:" /path/to/access.log
- Using intrusion detection systems (IDS) or web application firewalls (WAF) with rules to detect XSS payloads on the affected URLs.
Additionally, reviewing the configuration of the `xss.protection.url.list` in the cordys-crm.properties file can help identify which URLs require monitoring or filtering.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade CordysCRM to version 1.7.0 or later, where the vulnerability has been fixed.
Version 1.7.0 includes critical security fixes addressing XSS vulnerabilities by implementing configurable URL-based XSS filtering, allowing administrators to specify which endpoints require protection.
In addition to upgrading, it is advised to configure the `xss.protection.url.list` setting in the cordys-crm.properties file to specify the URLs that need XSS filtering, as the system does not apply global filtering by default.
Other recommended measures include:
- Implement input validation and sanitization on user inputs, especially on endpoints that accept announcements or other user-generated content.
- Apply output escaping when rendering content to prevent execution of malicious scripts.
- Configure Content Security Policy (CSP) headers to restrict inline script execution and reduce impact of potential XSS.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Cross-Site Scripting (XSS) issue in CordysCRM that allows remote attackers to inject malicious scripts. Such vulnerabilities can lead to unauthorized script execution in users' browsers, potentially exposing sensitive data or enabling session hijacking.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
Failure to mitigate XSS vulnerabilities could result in non-compliance with data protection requirements under GDPR and HIPAA, as these standards mandate appropriate security measures to protect personal and sensitive information from unauthorized access or disclosure.
Upgrading to CordysCRM version 1.7.0 and applying the recommended XSS protections (such as configurable URL filtering and input/output sanitization) helps reduce the risk and supports compliance efforts.