Yetiforce Yetiforce-Crm vulnerabilities

CVE-2023-49508 [MEDIUM] CWE-22 YetiForceCRM Directory Traversal vulnerability YetiForceCRM Directory Traversal vulnerability Directory Traversal vulnerability in YetiForceCompany YetiForceCRM versions 6.4.0 and before allows a remote authenticated attacker to obtain sensitive information via the license parameter in the LibraryLicense.php component.

CVE-2022-3002 [MEDIUM] CWE-79 YetiForce CRM vulnerable to stored Cross-site Scripting YetiForce CRM vulnerable to stored Cross-site Scripting YetiForce CRM version 6.4.0 and prior is vulnerable to stored cross-site scripting. A [patch](https://github.com/yetiforcecompany/yetiforcecrm/commit/54728becfdad9b6e686bbe336007cba2ce518248) is available on the `developer` branch.

CVE-2022-2924 [MEDIUM] CWE-79 YetiForce CRM vulnerable to stored Cross-site Scripting via WidgetsManagement module YetiForce CRM vulnerable to stored Cross-site Scripting via WidgetsManagement module YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the `WidgetsManagement` module. A patch is available at commit b716ecea340783b842498425faa029800bd30420.

CVE-2022-3004 [MEDIUM] CWE-79 YetiForce CRM vulnerable to stored Cross-site Scripting via WorkFlow module YetiForce CRM vulnerable to stored Cross-site Scripting via WorkFlow module YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the `WorkFlow` module. A patch is available at commit cd82ecce44d83f1f6c10c7766bf36f3026de024a.

CVE-2022-3005 [MEDIUM] CWE-79 YetiForce CRM vulnerable to stored Cross-site Scripting via SlaPolicy module YetiForce CRM vulnerable to stored Cross-site Scripting via SlaPolicy module YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the `SlaPolicy` module. A patch is available at commit e55886781509fe39951fc7528347696474a17884.

CVE-2022-3000 [MEDIUM] CWE-79 YetiForce CRM vulnerable to stored Cross-site Scripting via LayoutEditor module YetiForce CRM vulnerable to stored Cross-site Scripting via LayoutEditor module YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the `LayoutEditor` module. A patch is available at commit eebc12601495ada38495076bec12841b2477516b.

CVE-2022-1340 [MEDIUM] CWE-79 Cross site scripting in yetiforce/yetiforce-crm Cross site scripting in yetiforce/yetiforce-crm Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

CVE-2022-2890 [MEDIUM] CWE-79 Cross site scripting in yetiforce/yetiforce-crm Cross site scripting in yetiforce/yetiforce-crm Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

CVE-2022-2885 [MEDIUM] CWE-79 Cross site scripting in yetiforce/yetiforce-crm Cross site scripting in yetiforce/yetiforce-crm Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

CVE-2022-1411 [MEDIUM] CWE-434 Unrestricted Upload of File with Dangerous Type in yetiforce-crm Unrestricted Upload of File with Dangerous Type in yetiforce-crm Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data being made safe to render in the browser and steals victim's cookie leads to account takeover.

CVE-2022-0269 [HIGH] CWE-352 Cross-Site Request Forgery in yetiforce Cross-Site Request Forgery in yetiforce Versions of yetiforce 6.3.0 and prior are subject to privilege escalation via a cross site request forgery bug. This allows an attacker to create a new admin account even with SameSite: Strict enabled. This vulnerability can be exploited by any user on the system including guest users.

CVE-2021-4121 [MEDIUM] CWE-79 yetiforcecrm is vulnerable to Cross-site Scripting yetiforcecrm is vulnerable to Cross-site Scripting yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

CVE-2021-4111 [HIGH] CWE-20 YetiForceCRM is vulnerable to Business Logic Errors because product amount can be a negative number YetiForceCRM is vulnerable to Business Logic Errors because product amount can be a negative number YetiForceCRM is vulnerable to Business Logic Errors because product amount can be a negative number.

CVE-2021-4107 [MEDIUM] CWE-79 yetiforcecrm is vulnerable to Cross-site Scripting yetiforcecrm is vulnerable to Cross-site Scripting yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

CVE-2021-4117 [MEDIUM] CWE-20 YetiForceCRM is vulnerable to Business Logic Errors in the weight of a product YetiForceCRM is vulnerable to Business Logic Errors in the weight of a product YetiForceCRM is vulnerable to Business Logic Errors in the Weight of a Product since that value can be a negative number.

CVE-2021-4092 [MEDIUM] CWE-352 yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF) yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF) yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF).

CVE-2021-4116 [MEDIUM] CWE-79 yetiforcecrm is vulnerable to Cross-site Scripting yetiforcecrm is vulnerable to Cross-site Scripting yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').