CVE-2022-3004 XSS stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

It was found that due to the way data was sanitized before being stored to session, there was a possibility of XSS. It was patched in version 6.4.0 to prevent XSS attacks. Credit to David Sklar (dsklar) for discovering the issue and patching it in the following blog post: https://david-sklar.com/2018/04/21/yetiforce-and-cross-site-scripting/

XSS attacks are dangerous, as it can lead to a major data breach that can have a significant financial impact for the business. Prior to 6.4.0, XSS was possible in the following scenarios: A user was logged in and viewing/editing a record through yetiforce/yetiforcecrm.

A user was logged in and viewing/editing a record through yetiforce/yetiforce.

A user was logged in and viewing/editing a record through yetiforce/yetiforce.

A user was logged in and viewing/editing a record through yetiforce/yetiforce.

A user was logged in and viewing/editing a record through yetiforce/yetiforce.

A user was logged in and viewing/editing a record through yetiforce/yetiforce.

A user was logged in and viewing/editing a record through yetiforce/yetiforce.

The YetiForce Control Panel

The Yetiforce Control Panel is one of the most powerful web-based admin tools available to help you manage your company's inventory. With its drag-and-drop features, you can start with nothing and build a fully functional store in minutes.

What is YetiForce?

YetiForce is the software used to manage websites, blogs and web applications. YetiForce is a cloud-based platform that allows users to easily manage content creation, social media marketing and email marketing campaigns. Features include automated graphics, content scheduling and text syndication, search engine optimization (SEO), e-commerce integration, online advertising management and website analytics.

Timeline

Published on: 09/20/2022 10:15:00 UTC
Last modified on: 09/21/2022 16:34:00 UTC

References