Stored XSS vulnerability when importing RSS Feeds from external source in yetiforcecompany/yetiforcecrm


Reported on

Aug 12th 2022


YetiForceCRM allows user create RSS Feeds without purifying the link field of the input data properly from external source. An attacker can take advantage of this vulnerability to perform an XML Injection attack that leads to stored cross-site scripting (XSS) on the target server.

Proof of Concept


<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="">
    <title>RSS Test</title>
    <description>RSS Test Description</description>
    <lastBuildDate>Fri, 12 Aug 2022 00:00:00 -0000</lastBuildDate>
        <title>RSS Test</title>
        <description>a post</description>
        <pubDate>Fri, 12 Aug 2022 00:00:00 -0000</pubDate>

Reproduction steps

  • Step 1: Create a file rss_xss.xml with the content of the payload above

PoC - Step 1

  • Step 2: Add Feed Source via module Rss

PoC - Step 2

  • Step 3: Click Save and the XSS should fire

PoC - Step 3

PoC - Step 3-2


This vulnerability allows attackers to hijack the user's current session, steal relevant information, deface website or direct users to malicious websites,...

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back a year ago
Radosław Skrzypczak validated this vulnerability a year ago
0xb4c has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the yetiforcecompany/yetiforcecrm team. We will try again in 7 days. a year ago
Mariusz Krzaczkowski marked this as fixed in 6.4.0 with commit 2c14ba a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
RssFeedContents.tpl#L51 has been validated
to join this conversation