CVE-2022-1411 — Unrestricted File Upload in Yetiforcecrm

CWE-434 — Unrestricted File Upload4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 46.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Yetiforcecompany Yetiforcecrm Yetiforce Customer Relationship Management Yetiforce Yetiforce-crm

Timeline

PublishedMay 5

Latest updateMay 6

Description

Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data being made safe to render in the browser and steals victim's cookie leads to account takeover.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5yetiforcecompany/yetiforcecompany_yetiforcecrmunspecified — 6.4.0

▶Packagistyetiforce/yetiforce-crm< 6.4.0

▶NVDyetiforce/yetiforce_customer_relationship_management< 6.4.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Unrestricted Upload of File with Dangerous Type in yetiforce-crm↗2022-05-06

▶

OSV

Unrestricted Upload of File with Dangerous Type in yetiforce-crm↗2022-05-06

▶

CVEList

Unrestructed file upload in yetiforcecompany/yetiforcecrm↗2022-05-05

▶