It was found that due to the way data was sanitized before being stored to session, there was a possibility of XSS. It was patched in version 6.4.0 to prevent XSS attacks. Credit to David Sklar (dsklar) for discovering the issue and patching it in the following blog post: https://david-sklar.com/2018/04/21/yetiforce-and-cross-site-scripting/
XSS attacks are dangerous, as it can lead to a major data breach that can have a significant financial impact for the business. Prior to 6.4.0, XSS was possible in the following scenarios: A user was logged in and viewing/editing a record through yetiforce/yetiforcecrm.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
What is YetiForce?
Yetiforce is a desktop application that is designed to help companies manage the day-to-day tasks of their business. It’s like a CRM, but it’s only accessible online. YetiForce is free to use and available through a web browser, with no need for any installation or downloads. YetiForce is highly customizable, as it offers plugins and widgets that can be added by users.
Timeline
Published on: 08/23/2022 04:15:00 UTC
Last modified on: 08/24/2022 14:26:00 UTC