GHSA-7g7r-gr46-q4p5

Source

https://github.com/advisories/GHSA-7g7r-gr46-q4p5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-7g7r-gr46-q4p5/GHSA-7g7r-gr46-q4p5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7g7r-gr46-q4p5

Aliases

CVE-2022-0269

Published

2022-01-27T16:21:33Z

Modified

2024-02-16T08:20:57.255108Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Cross-Site Request Forgery in yetiforce

Details

Versions of yetiforce 6.3.0 and prior are subject to privilege escalation via a cross site request forgery bug. This allows an attacker to create a new admin account even with SameSite: Strict enabled. This vulnerability can be exploited by any user on the system including guest users.

Database specific

{
    "nvd_published_at": "2022-01-24T12:15:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-25T21:09:59Z"
}

References

Affected packages

Packagist / yetiforce/yetiforce-crm

Package

Name: yetiforce/yetiforce-crm
Purl: pkg:composer/yetiforce/yetiforce-crm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

6.3.0

Affected versions

4.*

4.0.0

4.1.0

4.2.0

4.3.0

4.4.0_RC1

4.4.0_RC2

4.4.0_RC3

4.4.0

5.*

5.0.0

5.1.0

5.2.0

5.3.0

6.*

6.0.0a

6.0.0

6.1.0

6.2.0

6.3.0