planfix-mcp-server

Name: planfix-mcp-server
Author: popstas

by popstas

Overview

The server integrates with Planfix CRM via the Model Context Protocol (MCP) to manage leads, contacts, tasks, and reports, exposing these functionalities as tools for client applications like AI agents.

Installation

Run Command

npx @popstas/planfix-mcp-server

Environment Variables

PLANFIX_ACCOUNT
PLANFIX_TOKEN
PLANFIX_FIELD_ID_EMAIL
PLANFIX_FIELD_ID_PHONE
PLANFIX_FIELD_ID_TELEGRAM
PLANFIX_FIELD_ID_TELEGRAM_CUSTOM
PLANFIX_FIELD_ID_CLIENT
PLANFIX_FIELD_ID_MANAGER
PLANFIX_FIELD_ID_AGENCY
PLANFIX_FIELD_ID_LEAD_SOURCE
PLANFIX_FIELD_ID_LEAD_SOURCE_VALUE
PLANFIX_FIELD_ID_PIPELINE
PLANFIX_FIELD_ID_TAGS
PLANFIX_FIELD_ID_LEAD_ID
PLANFIX_LEAD_TEMPLATE_ID
PLANFIX_TASK_TITLE_TEMPLATE

Security Notes

The `zapier-amocrm-webhook-lead.js` script (part of the provided source code, intended for Zapier integration) contains a critical Server-Side Request Forgery (SSRF) vulnerability. It constructs an amoCRM `baseUrl` directly from the incoming webhook body (`body["account[_links][self]"]`) and uses it for subsequent API calls. If an attacker can control or forge the incoming webhook, they can force the server to make requests to arbitrary internal or external network resources. Additionally, the `planfix_request` tool exposes raw Planfix API access, meaning any trusted MCP client with access to this tool can make arbitrary API calls to the configured Planfix account.

Similar Servers

mcp-atlassian

4003

Provides an MCP (Model Context Protocol) server for interacting with Atlassian Jira and Confluence APIs, offering tools for content management, search, and workflow automation.

Other

$Medium