Platform
php
Component
yetiforcecrm
Fixed in
6.4.0
CVE-2022-2890 describes a Cross-Site Scripting (XSS) vulnerability discovered in YetiForceCRM prior to version 6.4.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to account takeover and data theft. The vulnerability affects versions of YetiForceCRM less than or equal to 6.4.0, and a patch is available in version 6.4.0.
The XSS vulnerability in YetiForceCRM allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit a compromised page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is particularly severe because XSS vulnerabilities can be exploited to compromise user accounts with elevated privileges, potentially granting the attacker access to sensitive data and control over the CRM system. Successful exploitation could lead to unauthorized access to customer data, financial records, and other confidential information stored within the CRM.
CVE-2022-2890 was publicly disclosed on August 22, 2022. While no active exploitation campaigns have been definitively linked to this specific CVE, XSS vulnerabilities are frequently targeted by attackers. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, increasing the risk of exploitation.
Exploit Status
EPSS
0.39% (60% percentile)
CVSS Vector
The primary mitigation for CVE-2022-2890 is to upgrade YetiForceCRM to version 6.4.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on user-supplied data to reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan the application for XSS vulnerabilities using automated tools.
Actualice YetiForceCRM a la versión 6.4.0 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS almacenada. Se recomienda realizar una copia de seguridad antes de actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-2890 is a critical XSS vulnerability affecting YetiForceCRM versions 6.4.0 and earlier, allowing attackers to inject malicious scripts.
Yes, if you are using YetiForceCRM version 6.4.0 or earlier, you are vulnerable to this XSS attack.
Upgrade YetiForceCRM to version 6.4.0 or later to patch the vulnerability. Consider input validation and WAF rules as interim measures.
While no confirmed active campaigns are publicly known, the availability of PoCs increases the likelihood of exploitation.
Refer to the YetiForceCRM security advisory for details: [https://github.com/yetiforcecompany/yetiforcecrm/security/advisories/GHSA-5m9g-4c6x-994w](https://github.com/yetiforcecompany/yetiforcecrm/security/advisories/GHSA-5m9g-4c6x-994w)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.