yetiforce/yetiforce-crm is vulnerable to stored cross-site scripting(XSS) attacks. The library does not properly escape fieldModel->label
parameter in LayoutEditor
and it is used directly without any encoding or validation on LayoutEditor/EditField.tpl
, allowing an attacker to inject and execute malicious javascript to perform a stored XSS attack.