Moderate severityNVD Advisory· Published Dec 16, 2021· Updated Aug 3, 2024
Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm
CVE-2021-4121
Description
yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yetiforce/yetiforce-crmPackagist | <= 6.3.0 | — |
Affected products
1- Range: unspecified
Patches
16b5967198e43Improved MeetingUrl uitype
2 files changed · +7 −7
config/version.php+2 −2 modified@@ -1,7 +1,7 @@ <?php return [ - 'appVersion' => '6.3.7', - 'patchVersion' => '2021.12.14', + 'appVersion' => '6.3.8', + 'patchVersion' => '2021.12.15', 'lib_roundcube' => '0.2.3', ];
layouts/basic/modules/Vtiger/Modals/MeetingModal.tpl+5 −5 modified@@ -12,7 +12,7 @@ <div class="row mb-3 mt-2"> <div class="col-xs-6 mx-auto"> <span class="m-1 u-fs-4x yfi-guest-link text-success js-clipboard u-cursor-pointer" data-js="click" - data-copy-attribute="clipboard-text" data-clipboard-text="{$MEETING_GUEST_URL}" + data-copy-attribute="clipboard-text" data-clipboard-text="{\App\Purifier::encodeHtml($MEETING_GUEST_URL)}" title="{\App\Language::translate('BTN_COPY_TO_CLIPBOARD', $MODULE_NAME)}"> </span> <div class="text-center text-success"> @@ -21,7 +21,7 @@ </div> {if $SIMPLE_URL && !$MEETING_URL} <div class="col-xs-6 mx-auto"> - <a class="m-1 u-fs-4x yfi-enter-guest text-success" href="{$MEETING_GUEST_URL}" rel="noreferrer noopener" target="_blank" + <a class="m-1 u-fs-4x yfi-enter-guest text-success" href="{\App\Purifier::encodeHtml($MEETING_GUEST_URL)}" rel="noreferrer noopener" target="_blank" title="{\App\Language::translate('LBL_MEETING_JOIN', $MODULE_NAME)}"> </a> <div class="text-success"> @@ -68,7 +68,7 @@ {else} {assign var=URLDATA value=OSSMail_Module_Model::getExternalUrl($MODULE_NAME, $RECORD_ID, 'Detail', 'new')} {if $URLDATA} - <a class="m-1 yfi-send-invitation text-info u-fs-4x" href="{$URLDATA}" + <a class="m-1 yfi-send-invitation text-info u-fs-4x" href="{\App\Purifier::encodeHtml($URLDATA)}" title="{\App\Language::translate('LBL_MEETING_SEND_INVITATION', $MODULE_NAME)}"> </a> <div class="text-center text-info"> @@ -95,15 +95,15 @@ <div class="mb-3 mt-2 row"> <div class="col-xs-6 mx-auto"> <span class="m-1 u-fs-4x yfi-moderator-link text-danger js-clipboard u-cursor-pointer" data-js="click" - data-copy-attribute="clipboard-text" data-clipboard-text="{$MEETING_URL}" + data-copy-attribute="clipboard-text" data-clipboard-text="{\App\Purifier::encodeHtml($MEETING_URL)}" title="{\App\Language::translate('BTN_COPY_TO_CLIPBOARD', $MODULE_NAME)}"> </span> <div class="text-center text-danger"> {\App\Language::translate('LBL_COPY', $MODULE_NAME)} </div> </div> <div class="col-xs-6 mx-auto"> - <a class="m-1 u-fs-4x yfi-enter-moderator text-danger" href="{$MEETING_URL}" rel="noreferrer noopener" target="_blank" + <a class="m-1 u-fs-4x yfi-enter-moderator text-danger" href="{\App\Purifier::encodeHtml($MEETING_URL)}" rel="noreferrer noopener" target="_blank" title="{\App\Language::translate('LBL_MEETING_JOIN', $MODULE_NAME)}"> </a> <div class="text-danger">
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-j85f-xw9x-ffwpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4121ghsaADVISORY
- github.com/yetiforcecompany/yetiforcecrm/commit/6b5967198e43b6fbb3b2715b49c6cd5b12ce08c3ghsax_refsource_MISCWEB
- huntr.dev/bounties/6da878de-acdb-4b97-b9ff-9674c3f0881dghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.