High severityNVD Advisory· Published Jan 24, 2022· Updated Aug 2, 2024
Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm
CVE-2022-0269
Description
Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm prior to 6.3.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yetiforce/yetiforce-crmPackagist | <= 6.3.0 | — |
Affected products
1- Range: unspecified
Patches
1298c7870e6feImproved CSRF protection
10 files changed · +23 −39
app/Controller/Action.php+1 −3 modified@@ -7,6 +7,7 @@ * @copyright YetiForce Sp. z o.o * @license YetiForce Public License 4.0 (licenses/LicenseEN.txt or yetiforce.com) * @author Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com> + * @author Radosław Skrzypczak <r.skrzypczak@yetiforce.com> */ namespace App\Controller; @@ -16,9 +17,6 @@ */ abstract class Action extends Base { - /** {@inheritdoc} */ - public $csrfActive = false; - /** * Process action. *
app/Controller/Base.php+4 −21 modified@@ -7,6 +7,7 @@ * @copyright YetiForce Sp. z o.o * @license YetiForce Public License 4.0 (licenses/LicenseEN.txt or yetiforce.com) * @author Mariusz Krzaczkowski <m.krzaczkowski@yetiforce.com> + * @author Radosław Skrzypczak <r.skrzypczak@yetiforce.com> */ namespace App\Controller; @@ -18,25 +19,13 @@ abstract class Base { /** @var \App\Headers Headers instance. */ public $headers; - /** - * CSRF is active?. - * - * @var bool - */ - public $csrfActive = true; /** * Activated language locale. * * @var bool */ protected static $activatedLocale = false; - /** - * Activated csrf. - * - * @var bool - */ - protected static $activatedCsrf = false; /** * Constructor. @@ -48,15 +37,9 @@ public function __construct() \App\Language::initLocale(); self::$activatedLocale = true; } - if (!self::$activatedCsrf) { - if ($this->csrfActive && \App\Config::security('csrfActive')) { - require_once 'config/csrf_config.php'; - \CsrfMagic\Csrf::init(); - $this->csrfActive = true; - } else { - $this->csrfActive = false; - } - self::$activatedCsrf = true; + if (\App\Config::security('csrfActive')) { + require_once 'config/csrf_config.php'; + \CsrfMagic\Csrf::init(); } }
app/Request.php+2 −2 modified@@ -710,8 +710,8 @@ public function validateWriteAccess($skipRequestTypeCheck = false) throw new \App\Exceptions\Csrf('Invalid request - validate Write Access'); } $this->validateReadAccess(); - if (class_exists('CSRFConfig') && !\CsrfMagic\Csrf::check(false)) { - throw new \App\Exceptions\Csrf('Unsupported request'); + if (\App\Config::security('csrfActive')) { + \CsrfMagic\Csrf::check(); } }
config/ConfigTemplates.php+6 −0 modified@@ -1154,6 +1154,12 @@ 'validation' => '\App\Validator::bool', 'sanitization' => '\App\Purifier::bool' ], + 'csrfLifetimeToken' => [ + 'default' => 28800, + 'description' => 'Default expire time of CSRF token in seconds', + 'validation' => '\App\Validator::naturalNumber', + 'sanitization' => '\App\Purifier::naturalNumber' + ], 'csrfFrameBreaker' => [ 'default' => true, 'description' => 'Enable verified frame protection, used in CSRF',
config/csrf_config.php+4 −2 modified@@ -6,6 +6,7 @@ * The Initial Developer of the Original Code is vtiger. * Portions created by vtiger are Copyright (C) vtiger. * All Rights Reserved. + * Contributor(s): YetiForce Sp. z o.o * ****************************************************************************** */ class CSRFConfig @@ -16,14 +17,15 @@ class CSRFConfig public static function startup() { //Override the default expire time of token - \CsrfMagic\Csrf::$expires = 259200; + \CsrfMagic\Csrf::$expires = \App\Config::security('csrfLifetimeToken', 7200); \CsrfMagic\Csrf::$callback = function ($tokens) { - throw new \App\Exceptions\AppException('Invalid request - Response For Illegal Access', 403); + throw new \App\Exceptions\Csrf('Invalid request - Response For Illegal Access', 403); }; $js = 'vendor/yetiforce/csrf-magic/src/Csrf.min.js'; if (!IS_PUBLIC_DIR) { $js = 'public_html/' . $js; } + \CsrfMagic\Csrf::$defer = true; \CsrfMagic\Csrf::$dirSecret = __DIR__; \CsrfMagic\Csrf::$rewriteJs = $js; \CsrfMagic\Csrf::$cspToken = \App\Session::get('CSP_TOKEN');
config/Security.php+3 −0 modified@@ -151,6 +151,9 @@ class Security /** Enable CSRF protection */ public static $csrfActive = true; + /** Default expire time of CSRF token in seconds */ + public static $csrfLifetimeToken = 28800; + /** Enable verified frame protection, used in CSRF */ public static $csrfFrameBreaker = true;
config/version.php+2 −2 modified@@ -1,7 +1,7 @@ <?php return [ - 'appVersion' => '6.3.42', - 'patchVersion' => '2022.01.17', + 'appVersion' => '6.3.43', + 'patchVersion' => '2022.01.18', 'lib_roundcube' => '0.2.10', ];
include/main/WebUI.php+1 −3 modified@@ -168,9 +168,7 @@ public function process(App\Request $request) \App\Log::error("HandlerClass: $handlerClass", 'Loader'); throw new \App\Exceptions\AppException('LBL_HANDLER_NOT_FOUND', 405); } - if ($handler->csrfActive) { - $handler->validateRequest($request); - } + $handler->validateRequest($request); if ($handler->loginRequired() && $this->checkLogin($request)) { return true; }
install/views/Index.php+0 −3 modified@@ -14,9 +14,6 @@ class Install_Index_View extends \App\Controller\View\Base { use \App\Controller\ExposeMethod; - /** {@inheritdoc} */ - public $csrfActive = false; - /** * @var bool */
modules/Users/views/Login.php+0 −3 modified@@ -11,9 +11,6 @@ class Users_Login_View extends \App\Controller\View\Base { - /** {@inheritdoc} */ - public $csrfActive = false; - /** {@inheritdoc} */ public function __construct() {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-7g7r-gr46-q4p5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0269ghsaADVISORY
- github.com/yetiforcecompany/yetiforcecrm/commit/298c7870e6fe4332d8aa1757a9c8d79f841389ffghsax_refsource_MISCWEB
- huntr.dev/bounties/a0470915-f6df-45b8-b3a2-01aebe764df0ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.