CVE-2022-3000Cross-site Scripting in Yetiforcecrm

CWE-79Cross-site ScriptingCWE-93CRLF InjectionCWE-20Improper Input ValidationCWE-74Injection31 documents8 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 44.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Yetiforcecompany YetiforcecrmYetiforce Customer Relationship ManagementNodejs Undici+1 more
Timeline
PublishedSep 20
Latest updateOct 10

Description

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

CVEListV5yetiforcecompany/yetiforcecompany_yetiforcecrmunspecified6.4.0
npmnodejs/undici< 5.8.2
Packagistyetiforce/yetiforce-crm6.4.0

Patches

Patch: github.comPatch: huntr.devPatch: github.com

🔴Vulnerability Details

5
GHSA
YetiForce CRM vulnerable to stored Cross-site Scripting via LayoutEditor module2022-09-21
OSV
YetiForce CRM vulnerable to stored Cross-site Scripting via LayoutEditor module2022-09-21
CVEList
Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm2022-09-20
GHSA
Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type2022-08-18
GHSA
Incorrect protocol extraction via \r, \n and \t characters2022-04-06

💥Exploits & PoCs

1
Exploit-DB
FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)2022-02-08

📋Vendor Advisories

23
Chrome
Stable Channel Update for Desktop: CVE-2023-54852023-10-10
Chrome
Stable Channel Update for Desktop: CVE-2023-24642023-05-02
Chrome
Stable Channel Desktop Update: CVE-2023-09292023-02-22
Chrome
Stable Channel Update for Desktop: CVE-2023-06992023-02-07
Chrome
Stable Channel Update for Desktop: CVE-2023-01312023-01-10

💬Community

1
HackerOne
CVE-2022-35948: CRLF Injection in Nodejs ‘undici’ via Content-Type2022-09-23
CVE-2022-3000 — Cross-site Scripting in Yetiforcecrm | cvebase