Cross-site Scripting (XSS) - Reflected in yetiforcecompany/yetiforcecrm

Valid

Reported on

Dec 10th 2021


Description

Application is vulnerable to Reflected cross site scripting attack on create Invoice.

Proof of Concept

Step 1: Login into the application https://gitstable.yetiforce.com/index.php

Step 2: Navigate to Quick Create -> Cost Invoice

Step 3: Click on Source and enter the XSS Playload in Description and observe the pop up.

Video POC

https://1drv.ms/v/s!Aqx9_ZDlUWrJcGCc3xjV-n28ntE?e=FvuKQR

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. 2 months ago
We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back 2 months ago
Mariusz Krzaczkowski validated this vulnerability a month ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mariusz Krzaczkowski confirmed that a fix has been merged on a062d3 a month ago
Mariusz Krzaczkowski has been awarded the fix bounty
KhanhCM
a month ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?

What a shame on you!

The maintainer should be aware of this person, he is not a researcher, he is a copier!

Mariusz
a month ago

Maintainer


Bug fixed in 6.3.0_SecurityFix https://github.com/YetiForceCompany/UpdatePackages/tree/master/YetiForce%20CRM%206.x.x/6.3.0_SecurityFix/zip

Mariusz
a month ago

Maintainer


@khanhchauminh What matters is the goal and effect, not what weapon you use (within the legal limits of course)