yetiforce/yetiforce-crm is vulnerable to stored cross-site scripting(XSS) attacks. The library does not properly escape fieldModel->label
parameter in LayoutEditor
and it is used directly without any encoding or validation on LayoutEditor/EditField.tpl
, allowing an attacker to inject and execute malicious javascript to perform a stored XSS attack.
CPE | Name | Operator | Version |
---|---|---|---|
yetiforce/yetiforce-crm | le | 6.4.0 | |
yetiforce/yetiforce-crm | le | 6.4.0 |