The application uses Purifier to avoid the Cross Site Scripting attack. However, On BusinessHours module from Settings, the type of name parameter is “Text” but it is not validated and it’s used directly without any encoding or validation on EditViewBlocks.tpl. It allows attacker to inject arbitrary Javascript code to perform an Stored XSS attack.
https://gitstable.yetiforce.com/index.php?module=BusinessHours&parent=Settings&view=Edit&record={id}
BusinessHours" onfocus="alert(document.domain)" autofocus ""="
**Inject the payload
https://drive.google.com/file/d/1eOMZ1-ltqBA4OgJh1s14sRllXnqoU8XV/view?usp=sharing