User can get details of the comments that were deleted in yetiforcecompany/yetiforcecrm
Sep 19th 2022
When a user creates a new record he can add a comment on it. The user is also able to delete the comments after which the user wont be having access to that comment like replying, checking what the comment was. This vulnerability allows any user to see what the deleted comment was and also to reply on that comment.
Proof of Concept
1.Login into the application https://gitstable.yetiforce.com/index.php?module=Accounts&view=Detail&record=2029 .
2.Go to create records and create new.
3.Enter a new comment and click on save.
4.Reply on the comment created and intercept the request.
5.Send the request to the repeater.
6.Delete the comment that you created.
7.Send the request in the repeater and the details of the deleted comment is exposed.