Lucene search

GitHub Advisory DatabaseGHSA-2QF8-H7PR-X2R8

HistorySep 21, 2022 - 12:00 a.m.

YetiForce CRM vulnerable to stored Cross-site Scripting via WidgetsManagement module

2022-09-2100:00:52

CWE-79

GitHub Advisory Database

github.com

yetiforce crm

widgetmodule

cross-site scripting

vulnerability

patch

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

21.6%

JSON

YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the WidgetsManagement module. A patch is available at commit b716ecea340783b842498425faa029800bd30420.

Affected configurations

Vulners

Node

yetiforceyetiforce_customer_relationship_managementRange≤6.4.0

CPENameOperatorVersion
yetiforce/yetiforce-crmle6.4.0

CPE	Name	Operator	Version
	yetiforce/yetiforce-crm	le	6.4.0

References

github.com/advisories/GHSA-2qf8-h7pr-x2r8

github.com/yetiforcecompany/yetiforcecrm/commit/b716ecea340783b842498425faa029800bd30420

huntr.dev/bounties/f0f3aded-6e97-4cf2-980a-c90f2c6ca0e0

nvd.nist.gov/vuln/detail/CVE-2022-2924