Skip to main content

CVE-2022-2924: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in yetiforcecompany yetiforcecompany/yetiforcecrm

High
VulnerabilityCVE-2022-2924cvecve-2022-2924cwe-79
Published: Tue Sep 20 2022 (09/20/2022, 05:25:09 UTC)
Source: CVE Database V5
Vendor/Project: yetiforcecompany
Product: yetiforcecompany/yetiforcecrm

Description

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.3.

AI-Powered Analysis

AILast updated: 07/08/2025, 03:00:57 UTC

Technical Analysis

CVE-2022-2924 is a high-severity stored Cross-site Scripting (XSS) vulnerability identified in the yetiforcecompany's YetiforceCRM product, specifically in versions prior to 6.3. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Stored XSS occurs when malicious input is saved by the application and later rendered in web pages without proper sanitization or encoding, allowing attackers to inject and execute arbitrary JavaScript code in the context of other users' browsers. According to the CVSS v3.0 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), the vulnerability can be exploited remotely over the network with low attack complexity and requires low privileges but no user interaction. The impact on confidentiality is low, but the integrity impact is high, as attackers can manipulate or inject malicious scripts that may alter data or perform unauthorized actions on behalf of users. Availability is not affected. No known exploits are reported in the wild, and no official patches are linked, but the vulnerability is documented as fixed in version 6.3. The vulnerability affects the YetiforceCRM platform, an open-source customer relationship management system used for managing business processes, customer data, and communications. Stored XSS in such a system can lead to session hijacking, unauthorized actions, data manipulation, or distribution of malware to users accessing the CRM interface.

Potential Impact

For European organizations using YetiforceCRM, this vulnerability poses a significant risk to the integrity of their CRM data and user sessions. Attackers exploiting this flaw could execute malicious scripts that compromise user accounts, manipulate customer data, or escalate privileges within the CRM environment. This could lead to unauthorized access to sensitive customer information, disruption of business operations, and potential reputational damage. Given the CRM's role in managing client relationships and sensitive business data, exploitation could also facilitate further attacks such as phishing or lateral movement within the organization's network. The lack of required user interaction increases the risk of automated exploitation. Organizations in Europe with regulatory obligations under GDPR must be particularly cautious, as data breaches involving personal data could result in substantial fines and legal consequences.

Mitigation Recommendations

European organizations should prioritize upgrading YetiforceCRM to version 6.3 or later, where the vulnerability is addressed. In the absence of an official patch, organizations should implement strict input validation and output encoding on all user-supplied data within the CRM interface to prevent script injection. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Regular security audits and code reviews focusing on input handling should be conducted. Additionally, monitoring web application logs for unusual input patterns or script injections can aid in early detection of exploitation attempts. User privileges should be minimized to the least necessary level to reduce the risk posed by low-privilege exploitation. Finally, educating users about the risks of XSS and encouraging cautious behavior when interacting with CRM content can help reduce impact.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
@huntrdev
Date Reserved
2022-08-22T00:00:00.000Z
Cvss Version
3.0
State
PUBLISHED

Threat ID: 68386826182aa0cae2801b59

Added to database: 5/29/2025, 1:59:02 PM

Last enriched: 7/8/2025, 3:00:57 AM

Last updated: 7/25/2025, 9:41:07 PM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats