Cross-site Scripting (XSS) - Reflected in yetiforcecompany/yetiforcecrm

Valid

Reported on

Dec 10th 2021


Description

Application is vulnerable to Reflected cross site scripting attack on create Invoice.

Proof of Concept

Step 1: Login into the application https://gitstable.yetiforce.com/index.php

Step 2: Navigate to Quick Create -> Cost Invoice

Step 3: Click on Source and enter the XSS Playload in Description and observe the pop up.

Video POC

https://1drv.ms/v/s!Aqx9_ZDlUWrJcGCc3xjV-n28ntE?e=FvuKQR

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. a year ago
We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back a year ago
Mariusz Krzaczkowski validated this vulnerability a year ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mariusz Krzaczkowski marked this as fixed in 6.4.0 with commit a062d3 a year ago
Mariusz Krzaczkowski has been awarded the fix bounty
This vulnerability will not receive a CVE
KhanhCM
a year ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself. What have you learned after reporting this vulnerability? Just earn the bounty or improve your skills in cybersecurity?

What a shame on you!

The maintainer should be aware of this person, he is not a researcher, he is a copier!

Mariusz
a year ago

Maintainer


Bug fixed in 6.3.0_SecurityFix https://github.com/YetiForceCompany/UpdatePackages/tree/master/YetiForce%20CRM%206.x.x/6.3.0_SecurityFix/zip

Mariusz
a year ago

Maintainer


@khanhchauminh What matters is the goal and effect, not what weapon you use (within the legal limits of course)

to join this conversation