CVE-2022-1411: Unrestricted Upload of File with Dangerous Type

May 6, 2022 (updated May 24, 2022)

Unrestructed file upload in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0. Attacker can send malicious files to the victims is able to retrieve the stored data from the web application without that data being made safe to render in the browser and steals victim’s cookie leads to account takeover.

References

github.com/advisories/GHSA-pqr6-3j58-9w58
github.com/yetiforcecompany/yetiforcecrm/commit/bf69c427260011ffca42f7b6935bb54080c54124
huntr.dev/bounties/75c7cf09-d118-4f91-9686-22b142772529
nvd.nist.gov/vuln/detail/CVE-2022-1411

Detect and mitigate CVE-2022-1411 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →