Cross-site Scripting (XSS) - Reflected in yetiforcecompany/yetiforcecrm


Reported on

Dec 10th 2021


Application is vulnerable to Reflected cross site scripting attack on create Invoice.

Proof of Concept

Step 1: Login into the application

Step 2: Navigate to Quick Create -> Cost Invoice

Step 3: Click on Source and enter the XSS Playload in Description and observe the pop up.

Video POC!Aqx9_ZDlUWrJcGCc3xjV-n28ntE?e=FvuKQR

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back 2 years ago
Mariusz Krzaczkowski validated this vulnerability 2 years ago
dev696 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mariusz Krzaczkowski marked this as fixed in 6.4.0 with commit a062d3 2 years ago
Mariusz Krzaczkowski has been awarded the fix bounty
2 years ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?

What a shame on you!

The maintainer should be aware of this person, he is not a researcher, he is a copier!

2 years ago


Bug fixed in 6.3.0_SecurityFix

2 years ago


@khanhchauminh What matters is the goal and effect, not what weapon you use (within the legal limits of course)

to join this conversation