It was found that due to the way data was sanitized before being stored to session, there was a possibility of XSS. It was patched in version 6.4.0 to prevent XSS attacks. Credit to David Sklar (dsklar) for discovering the issue and patching it in the following blog post: https://david-sklar.com/2018/04/21/yetiforce-and-cross-site-scripting/
XSS attacks are dangerous, as it can lead to a major data breach that can have a significant financial impact for the business. Prior to 6.4.0, XSS was possible in the following scenarios: A user was logged in and viewing/editing a record through yetiforce/yetiforcecrm.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
The YetiForce Control Panel
The Yetiforce Control Panel is one of the most powerful web-based admin tools available to help you manage your company's inventory. With its drag-and-drop features, you can start with nothing and build a fully functional store in minutes.
What is YetiForce?
YetiForce is the software used to manage websites, blogs and web applications. YetiForce is a cloud-based platform that allows users to easily manage content creation, social media marketing and email marketing campaigns. Features include automated graphics, content scheduling and text syndication, search engine optimization (SEO), e-commerce integration, online advertising management and website analytics.
Timeline
Published on: 09/20/2022 10:15:00 UTC
Last modified on: 09/21/2022 16:34:00 UTC