CVE-2022-0269

Description

Versions of yetiforce 6.3.0 and prior are subject to privilege escalation via a cross site request forgery bug. This allows an attacker to create a new admin account even with SameSite: Strict enabled. This vulnerability can be exploited by any user on the system including guest users.

Affected packages (1)

• Packagist/yetiforce/yetiforce-crmfrom 0, <= 6.3.0

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-0269
• WEBhttps://github.com/yetiforcecompany/yetiforcecrm
• WEBhttps://github.com/yetiforcecompany/yetiforcecrm/commit/298c7870e6fe4332d8aa1757a9c8d79f841389ff
• WEBhttps://huntr.dev/bounties/a0470915-f6df-45b8-b3a2-01aebe764df0