プラットフォーム
php
コンポーネント
yetiforcecrm
修正版
6.4.0
CVE-2022-2890 describes a Cross-Site Scripting (XSS) vulnerability discovered in YetiForceCRM prior to version 6.4.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to account takeover and data theft. The vulnerability affects versions of YetiForceCRM less than or equal to 6.4.0, and a patch is available in version 6.4.0.
The XSS vulnerability in YetiForceCRM allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit a compromised page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is particularly severe because XSS vulnerabilities can be exploited to compromise user accounts with elevated privileges, potentially granting the attacker access to sensitive data and control over the CRM system. Successful exploitation could lead to unauthorized access to customer data, financial records, and other confidential information stored within the CRM.
CVE-2022-2890 was publicly disclosed on August 22, 2022. While no active exploitation campaigns have been definitively linked to this specific CVE, XSS vulnerabilities are frequently targeted by attackers. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, increasing the risk of exploitation.
Organizations using YetiForceCRM versions 6.4.0 and earlier are at risk, particularly those with sensitive customer data stored within the CRM. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a vulnerability in one user's account could potentially compromise other accounts on the same server.
• php: Examine application logs for suspicious JavaScript code being injected into user input fields. Use a WAF to detect and block XSS payloads.
grep -r 'alert("XSS")' /var/www/yetiforcecrm/includes/install/• generic web: Monitor HTTP response headers for signs of injected JavaScript. Use browser developer tools to inspect network traffic for unexpected script tags.
curl -I https://your-yetiforcecrm-instance/ | grep -i content-security-policydisclosure
エクスプロイト状況
EPSS
0.39% (60% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2022-2890 is to upgrade YetiForceCRM to version 6.4.0 or later, which contains the fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on user-supplied data to reduce the attack surface. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan the application for XSS vulnerabilities using automated tools.
Actualice YetiForceCRM a la versión 6.4.0 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS almacenada. Se recomienda realizar una copia de seguridad antes de actualizar.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2022-2890 is a critical XSS vulnerability affecting YetiForceCRM versions 6.4.0 and earlier, allowing attackers to inject malicious scripts.
Yes, if you are using YetiForceCRM version 6.4.0 or earlier, you are vulnerable to this XSS attack.
Upgrade YetiForceCRM to version 6.4.0 or later to patch the vulnerability. Consider input validation and WAF rules as interim measures.
While no confirmed active campaigns are publicly known, the availability of PoCs increases the likelihood of exploitation.
Refer to the YetiForceCRM security advisory for details: [https://github.com/yetiforcecompany/yetiforcecrm/security/advisories/GHSA-5m9g-4c6x-994w](https://github.com/yetiforcecompany/yetiforcecrm/security/advisories/GHSA-5m9g-4c6x-994w)