yetiforce/yetiforce-crm is vulnerable to stored cross-site scripting(XSS) attacks. The library does not properly escape the content of title
parameter in WidgetsManagement
module and it is used directly without any encoding or validation on ChartFilter.tpl
, allowing an attacker to inject and execute malicious javascript to perform a stored XSS attack.
CPE | Name | Operator | Version |
---|---|---|---|
yetiforce/yetiforce-crm | le | 6.4.0 | |
yetiforce/yetiforce-crm | le | 6.4.0 |