CVE-2022-1411

Published: May 5, 2022Modified: Jun 17, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data being made safe to render in the browser and steals victim's cookie leads to account takeover.

Affected (1)

Products: Yetiforce: Yetiforce Customer Relationship Management

1 product

Yetiforce Customer Relationship Management

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Yetiforce Yetiforce Customer Relationship Management	Before 6.4.0

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/yetiforcecompany/yetiforcecrm/commit/bf69c427260011ffca42f7b6935bb54080c54124

Source: security@huntr.dev

PatchThird Party Advisory

https://huntr.dev/bounties/75c7cf09-d118-4f91-9686-22b142772529

Source: security@huntr.dev

ExploitThird Party Advisory

https://github.com/yetiforcecompany/yetiforcecrm/commit/bf69c427260011ffca42f7b6935bb54080c54124

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://huntr.dev/bounties/75c7cf09-d118-4f91-9686-22b142772529

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.