CVE-2025-70981

Name of the Vulnerable Software and Affected Versions CordysCRM version 1.4.1

Description CordysCRM version 1.4.1 contains a SQL Injection flaw in the employee list query interface. The issue is located in the /user/list API endpoint and involves manipulation of the departmentIds parameter. Successful exploitation could allow an attacker to inject malicious SQL code.

Recommendations Apply updates to address the SQL Injection flaw in the employee list query interface. As a temporary workaround, restrict access to the /user/list API endpoint. Avoid using the departmentIds parameter in the affected API endpoint until the issue is resolved.