Description
Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data being made safe to render in the browser and steals victim's cookie leads to account takeover.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://huntr.dev/bounties/75c7cf09-d118-4f91-9686-22b142772529
Patch, Third Party Advisory x_refsource_misc
https://github.com/yetiforcecompany/yetiforcecrm/commit/bf69c427260011ffca42f7b6935bb54080c54124
Scores
CVSS v3
6.1
EPSS
0.0071
EPSS Percentile
49.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-434
Status
published
Products (2)
yetiforce/yetiforce-crm
0 - 6.4.0Packagist
yetiforce/yetiforce_customer_relationship_management
< 6.4.0
Published
May 05, 2022
Tracked Since
Feb 18, 2026