Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data being made safe to render in the browser and steals victim's cookie leads to account takeover.
References
Link | Resource |
---|---|
https://github.com/yetiforcecompany/yetiforcecrm/commit/bf69c427260011ffca42f7b6935bb54080c54124 | Patch Third Party Advisory |
https://huntr.dev/bounties/75c7cf09-d118-4f91-9686-22b142772529 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: @huntrdev
Published: 2022-05-05T10:30:12
Updated: 2022-05-05T10:30:12
Reserved: 2022-04-20T00:00:00
Link: CVE-2022-1411
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-05-05T11:15:08.047
Modified: 2022-05-12T20:41:27.477
Link: CVE-2022-1411
JSON object: View
Redhat Information
No data.
CWE