Miggo Logo
Miggo Vulnerability Database
CVE-2022-3000

CVE-2022-3000: YetiForce CRM vulnerable to stored Cross-site Scripting via LayoutEditor module

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3000
GHSA ID
GHSA-mqh9-5jp9-6799
EPSS Score
0.26074%
CWE
CWE-79
Published
9/21/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
yetiforce/yetiforce-crmcomposer<= 6.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing output encoding in the EditField.tpl template. The patch adds escaping (via |escape and \App\Purifier::encodeHtml) to variables populated by methods like getFieldLabel(), get('maximumlength'), and getHeaderValue(). These methods return user-controllable data (e.g., field labels, parameters) that were rendered directly into HTML attributes/options without sanitization, enabling stored XSS. The functions are vulnerable in the context of their unescaped usage in the template, not inherently in their implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Y*ti*or** *RM v*rsions *.*.* *n* prior *r* vuln*r**l* to *ross-sit* s*riptin* vi* t** `L*yout**itor` mo*ul*. * p*t** is *v*il**l* *t *ommit ****************************************.

Reasoning

T** vuln*r**ility st*ms *rom missin* output *n*o*in* in t** **it*i*l*.tpl t*mpl*t*. T** p*t** ***s *s**pin* (vi* |*s**p* *n* \*pp\Puri*i*r::*n*o***tml) to v*ri**l*s popul*t** *y m*t*o*s lik* **t*i*l*L***l(), **t('m*ximuml*n*t*'), *n* **t*****rV*lu*()
CVE-2022-3000: YetiForce CRM LayoutEditor XSS | Miggo