CVE-2023-49508
Description
Directory Traversal vulnerability in YetiForceCompany YetiForceCRM versions 6.4.0 and before allows a remote authenticated attacker to obtain sensitive information via the license parameter in the LibraryLicense.php component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in YetiForceCRM <=6.4.0 allows authenticated attackers to read arbitrary files via the license parameter.
Vulnerability
A directory traversal vulnerability exists in YetiForceCRM versions 6.4.0 and earlier in the LibraryLicense.php component. The license parameter is insufficiently sanitized, allowing an attacker to include path traversal sequences (e.g., ../) [1]. The commit diff shows that the input was originally processed as 'Text' type without proper directory validation [3].
Exploitation
Exploitation requires a remote authenticated user. An attacker can send a crafted HTTP request with a malicious license parameter to read arbitrary files outside the intended directory. No special privileges beyond basic authentication are needed [2].
Impact
Successful exploitation allows reading sensitive files such as configuration files (e.g., database credentials), source code, or other system files. This information disclosure can facilitate further attacks against the application and underlying infrastructure [1][2].
Mitigation
The vulnerability was patched in commit ba3a348, which introduced proper file path validation using \App\Fields\File::isAllowedFileDirectory and output escaping. The fix is included in version 6.4.271 and later. Users should upgrade to a patched version [3]. The original repository has been archived [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yetiforce/yetiforce-crmPackagist | < 6.5.0 | 6.5.0 |
Affected products
2- YetiForceCompany/YetiForceCRMdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-394m-vxwj-363jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-49508ghsaADVISORY
- github.com/YetiForceCompany/YetiForceCRM/commit/ba3a348aa6ecdf0a1d8b289cbb679bebcda7a132ghsaWEB
- github.com/c4v4r0n/Research/tree/main/CVE-2023-49508ghsaWEB
- huntr.com/bounties/29ed641d-eb03-4532-aed4-f96e11f78983ghsaWEB
- huntr.com/bounties/29ed641d-eb03-4532-aed4-f96e11f78983/mitre
News mentions
0No linked articles in our index yet.