CVE-2022-1411

Опубликовано: 05 мая 2022

Источник: nvd

CVSS3: 9.1

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data being made safe to render in the browser and steals victim's cookie leads to account takeover.

Ссылки

https://github.com/yetiforcecompany/yetiforcecrm/commit/bf69c427260011ffca42f7b6935bb54080c54124
Patch
Third Party Advisory
https://huntr.dev/bounties/75c7cf09-d118-4f91-9686-22b142772529
Exploit
Third Party Advisory
https://github.com/yetiforcecompany/yetiforcecrm/commit/bf69c427260011ffca42f7b6935bb54080c54124
Patch
Third Party Advisory
https://huntr.dev/bounties/75c7cf09-d118-4f91-9686-22b142772529
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:yetiforce:yetiforce_customer_relationship_management:*:*:*:*:*:*:*:*

Версия до 6.4.0 (исключая)

EPSS

Процентиль: 53%

0.00306

Низкий

9.1 Critical

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-434

Связанные уязвимости

GHSA-pqr6-3j58-9w58

CVSS3: 6.1

github

почти 4 года назад

Unrestricted Upload of File with Dangerous Type in yetiforce-crm

EPSS

Процентиль: 53%

0.00306

Низкий

9.1 Critical

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-434