It was found that due to the way data was sanitized before being stored to session, there was a possibility of XSS. It was patched in version 6.4.0 to prevent XSS attacks. Credit to David Sklar (dsklar) for discovering the issue and patching it in the following blog post: https://david-sklar.com/2018/04/21/yetiforce-and-cross-site-scripting/
XSS attacks are dangerous, as it can lead to a major data breach that can have a significant financial impact for the business. Prior to 6.4.0, XSS was possible in the following scenarios: A user was logged in and viewing/editing a record through yetiforce/yetiforcecrm.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
A user was logged in and viewing/editing a record through yetiforce/yetiforce.
What is YetiForce?
YetiForce is a cloud-based, real-time CRM software that is used to manage customer interactions and sales. The platform provides automation capabilities, such as email marketing, lead management, and social media. YetiForce offers integrations with a number of third party platforms, including Salesforce and Google Analytics.
Timeline
Published on: 10/06/2022 18:16:00 UTC
Last modified on: 10/06/2022 20:27:00 UTC