Skip to main content

CVE-2022-3000: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in yetiforcecompany yetiforcecompany/yetiforcecrm

Medium
VulnerabilityCVE-2022-3000cvecve-2022-3000cwe-79
Published: Tue Sep 20 2022 (09/20/2022, 07:10:09 UTC)
Source: CVE Database V5
Vendor/Project: yetiforcecompany
Product: yetiforcecompany/yetiforcecrm

Description

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

AI-Powered Analysis

AILast updated: 07/08/2025, 03:11:46 UTC

Technical Analysis

CVE-2022-3000 is a medium-severity stored Cross-site Scripting (XSS) vulnerability identified in the yetiforcecompany's YetiforceCRM product, specifically in versions prior to 6.4.0. This vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. Stored XSS occurs when malicious input is saved by the application and later rendered in a web page without proper sanitization or encoding, allowing attackers to execute arbitrary JavaScript code in the context of other users' browsers. The CVSS 3.0 base score of 6.3 reflects that the vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The impact affects confidentiality, integrity, and availability, albeit with limited confidentiality and integrity impact and some availability impact. The vulnerability is present in the GitHub repository yetiforcecompany/yetiforcecrm, a customer relationship management (CRM) system used by organizations to manage client data and interactions. No known exploits in the wild have been reported, and no official patch links were provided in the data, but the issue is resolved in versions 6.4.0 and later. The vulnerability allows an authenticated user with limited privileges to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking, unauthorized actions, or data theft. Given the nature of CRM systems, which often contain sensitive customer and business data, exploitation could lead to significant operational and reputational damage.

Potential Impact

For European organizations using YetiforceCRM, this vulnerability poses a tangible risk to the confidentiality and integrity of customer data and internal communications. Attackers exploiting this stored XSS could hijack sessions of other users, escalate privileges, or perform unauthorized actions within the CRM environment. This could lead to data leakage of sensitive client information, manipulation of business records, or disruption of CRM services. The impact extends to regulatory compliance, as unauthorized data exposure may violate GDPR requirements, leading to legal and financial penalties. Additionally, the availability impact, although limited, could disrupt business operations relying on the CRM system. Organizations in sectors such as finance, healthcare, and public services, which heavily rely on CRM systems for managing sensitive data, could face heightened risks. The absence of known exploits in the wild suggests limited active targeting currently, but the presence of the vulnerability in publicly accessible code repositories increases the risk of future exploitation if unpatched.

Mitigation Recommendations

European organizations should prioritize upgrading YetiforceCRM installations to version 6.4.0 or later, where this vulnerability is addressed. In the absence of immediate upgrade capability, organizations should implement strict input validation and output encoding on all user-supplied data fields within the CRM to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit user privileges rigorously to reduce the risk posed by authenticated attackers. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. Monitor logs for unusual activities that may indicate exploitation attempts. Additionally, educate users about the risks of XSS and encourage cautious behavior when interacting with CRM content. Finally, ensure that web application firewalls (WAFs) are configured to detect and block common XSS attack patterns targeting the CRM.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
@huntrdev
Date Reserved
2022-08-26T00:00:00.000Z
Cvss Version
3.0
State
PUBLISHED

Threat ID: 68386826182aa0cae2801b76

Added to database: 5/29/2025, 1:59:02 PM

Last enriched: 7/8/2025, 3:11:46 AM

Last updated: 8/16/2025, 12:32:50 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats