Cross-site Scripting (XSS) - Reflected in yetiforcecompany/yetiforcecrm
Reported on
Dec 10th 2021
Description
Application is vulnerable to Reflected cross site scripting attack on create Invoice.
Proof of Concept
Step 1: Login into the application https://gitstable.yetiforce.com/index.php
Step 2: Navigate to Quick Create -> Cost Invoice
Step 3: Click on Source and enter the XSS Playload in Description and observe the pop up.
Video POC
https://1drv.ms/v/s!Aqx9_ZDlUWrJcGCc3xjV-n28ntE?e=FvuKQR
Hey @dev696,
A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?
What a shame on you!
The maintainer should be aware of this person, he is not a researcher, he is a copier!
Bug fixed in 6.3.0_SecurityFix https://github.com/YetiForceCompany/UpdatePackages/tree/master/YetiForce%20CRM%206.x.x/6.3.0_SecurityFix/zip
@khanhchauminh What matters is the goal and effect, not what weapon you use (within the legal limits of course)