VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 14, 2021· Updated Aug 3, 2024

Cross-site Scripting (XSS) - Reflected in yetiforcecompany/yetiforcecrm

CVE-2021-4107

Description

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
yetiforce/yetiforce-crmPackagist
<= 6.3.0

Affected products

1

Patches

1
a062d3d5fecb

Added additional data validation in the wysiwyg editor when inputting data in the source.

https://github.com/yetiforcecompany/yetiforcecrmMariusz KrzaczkowskiDec 13, 2021via ghsa
commit
3 files changed · +67 7
  • config/version.php+1 1 modified
    @@ -1,7 +1,7 @@
 <?php
 
 return [
-	'appVersion' => '6.3.3',
+	'appVersion' => '6.3.4',
 	'patchVersion' => '2021.12.13',
 	'lib_roundcube' => '0.2.3',
 ];
  • modules/Vtiger/actions/Fields.php+25 1 modified
    @@ -53,8 +53,9 @@ public function __construct()
 		$this->exposeMethod('getOwners');
 		$this->exposeMethod('getReference');
 		$this->exposeMethod('getUserRole');
-		$this->exposeMethod('verifyPhoneNumber');
 		$this->exposeMethod('findAddress');
+		$this->exposeMethod('validate');
+		$this->exposeMethod('verifyPhoneNumber');
 		$this->exposeMethod('verifyIsHolidayDate');
 		$this->exposeMethod('changeFavoriteOwner');
 	}
@@ -267,4 +268,27 @@ public function changeFavoriteOwner(App\Request $request)
 		$response->setResult(['result' => $result, 'message' => $message]);
 		$response->emit();
 	}
+
+	/**
+	 * Validate the field value.
+	 *
+	 * @param \App\Request $request
+	 *
+	 * @throws \App\Exceptions\NoPermitted
+	 */
+	public function validate(App\Request $request)
+	{
+		$fieldModel = Vtiger_Module_Model::getInstance($request->getModule())->getFieldByName($request->getByType('fieldName', 2));
+		if (!$fieldModel || !$fieldModel->isActiveField() || !$fieldModel->isViewEnabled()) {
+			throw new \App\Exceptions\NoPermitted('ERR_NO_PERMISSIONS_TO_FIELD', 406);
+		}
+		$recordModel = \Vtiger_Record_Model::getCleanInstance($fieldModel->getModuleName());
+		$fieldModel->getUITypeModel()->setValueFromRequest($request, $recordModel, 'fieldValue');
+		$response = new Vtiger_Response();
+		$response->setResult([
+			'raw' => $recordModel->get($fieldModel->getName()),
+			'display' => $recordModel->getDisplayValue($fieldModel->getName()),
+		]);
+		$response->emit();
+	}
 }
  • public_html/layouts/resources/Fields.js+41 5 modified
    @@ -532,8 +532,7 @@ window.App.Fields = {
 			 */
 			loadEditor(element, customConfig) {
 				this.setElement(element);
-				const instance = this.getEditorInstanceFromName(),
-					self = this;
+				const instance = this.getEditorInstanceFromName();
 				let config = {
 					language: CONFIG.langKey,
 					allowedContent: true,
@@ -546,12 +545,17 @@ window.App.Fields = {
 					emojiEnabled: false,
 					mentionsEnabled: false,
 					on: {
-						instanceReady: function (evt) {
+						instanceReady: (evt) => {
 							evt.editor.on('blur', function () {
 								evt.editor.updateElement();
 							});
-							if (self.isModal && self.progressInstance) {
-								self.progressInstance.progressIndicator({ mode: 'hide' });
+							if (this.isModal && this.progressInstance) {
+								this.progressInstance.progressIndicator({ mode: 'hide' });
+							}
+						},
+						beforeCommandExec: (e) => {
+							if (e.editor.mode === 'source') {
+								return this.validate(element, e);
 							}
 						}
 					},
@@ -741,6 +745,38 @@ window.App.Fields = {
 			getMentionUsersData(opts, callback) {
 				App.Fields.Text.getMentionData(opts, callback, 'owners');
 			}
+
+			/**
+			 * Function to validate the field value
+			 * @param {jQuery} element
+			 * @param {object} e
+			 */
+			validate(element, e) {
+				let status = true;
+				AppConnector.request({
+					async: false,
+					data: {
+						module: element.closest('form').find('[name="module"]').val(),
+						action: 'Fields',
+						mode: 'validate',
+						fieldName: element.attr('name'),
+						fieldValue: element.val()
+					}
+				})
+					.done(function (data) {
+						element.val(data.result.raw);
+					})
+					.fail(function (error) {
+						app.showNotify({
+							type: 'error',
+							title: app.vtranslate('JS_ERROR'),
+							text: error
+						});
+						status = false;
+					});
+
+				return status;
+			}
 		},
 		/**
 		 * Completions class for contenteditable html element for records, users and emojis. Params can be passed in data-completions- of contenteditable element or as argument. Default params:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.