VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 6, 2022· Updated Aug 3, 2024

Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm

CVE-2022-3002

Description

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
yetiforce/yetiforce-crmPackagist
<= 6.4.0

Affected products

1

Patches

1
54728becfdad

Improved display of data in the business hours

https://github.com/yetiforcecompany/yetiforcecrmMariusz KrzaczkowskiAug 26, 2022via ghsa
commit
1 file changed · +2 3
  • layouts/basic/modules/Settings/BusinessHours/EditViewBlocks.tpl+2 3 modified
    @@ -19,7 +19,7 @@
 				<div class="card">
 					<div class="card-header">
 						{if !empty($RECORD_MODEL->getId())}
-							<span class="yfi yfi-full-editing-view mr-2"></span>{\App\Language::translate('LBL_EDIT_BUSINESS_HOURS',$QUALIFIED_MODULE)} - {$RECORD_MODEL->getName()}
+							<span class="yfi yfi-full-editing-view mr-2"></span>{\App\Language::translate('LBL_EDIT_BUSINESS_HOURS',$QUALIFIED_MODULE)} - {\App\Purifier::encodeHtml($RECORD_MODEL->getName())}
 						{else}
 							<span class="fas fa-plus mr-2"></span>{\App\Language::translate('LBL_ADD_BUSINESS_HOURS',$QUALIFIED_MODULE)}
 						{/if}
@@ -29,8 +29,7 @@
 							<div class="col-12 form-group row">
 								<label class="col-5"><span class="redColor">*</span>{\App\Language::translate('LBL_NAME', $QUALIFIED_MODULE)}</label>
 								<div class="col-7">
-									<input type="text" name="name" class="form-control w-100" {if isset($RECORD_MODEL)} value="{$RECORD_MODEL->getName()}" {/if}
-										data-validation-engine="validate[required,funcCall[Vtiger_Base_Validator_Js.invokeValidation]]">
+									<input type="text" name="name" class="form-control w-100" {if isset($RECORD_MODEL)}value="{\App\Purifier::encodeHtml($RECORD_MODEL->getName())}" {/if} data-validation-engine="validate[required,funcCall[Vtiger_Base_Validator_Js.invokeValidation]]">
 								</div>
 							</div>
 							<div class="col-12 form-group row">

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.