It was found that due to the way data was sanitized before being stored to session, there was a possibility of XSS. It was patched in version 6.4.0 to prevent XSS attacks. Credit to David Sklar (dsklar) for discovering the issue and patching it in the following blog post: https://david-sklar.com/2018/04/21/yetiforce-and-cross-site-scripting/
XSS attacks are dangerous, as it can lead to a major data breach that can have a significant financial impact for the business. Prior to 6.4.0, XSS was possible in the following scenarios: A user was logged in and viewing/editing a record through yetiforce/yetiforcecrm.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
What is yetiforce?
Yetiforce is a platform for building custom apps. The platform uses open source components to do its magic and has a lot of potential for developers as it provides them with the ability to create new apps that are tailored precisely to their business needs. The yetiforce platform is an intuitive, easy-to-use app development tool that helps you build custom apps in no time.
Timeline
Published on: 08/21/2022 08:15:00 UTC
Last modified on: 08/23/2022 16:10:00 UTC