yetiforce yetiforce_customer_relationship_management 在web页面生成时对输入的转义处理不恰当（跨站脚本）

2023-11-30 15:41:40 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

CVE编号

CVE-2021-4107

利用情况

暂无

补丁情况

官方补丁

披露时间

2021-12-14

yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/yetiforcecompany/yetiforcecrm/commit/a062d3d5fecb000db207a...
https://huntr.dev/bounties/1d124520-cf29-4539-a0f3-6d041af7b5a8

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	yetiforce	yetiforce_customer_relationship_management	*		Up to (including) 6.3.0
	运行在以下环境
	系统	amazon_2	kernel	*		Up to (excluding) 5.10.68-62.173.amzn2
	运行在以下环境
	系统	anolis_os_23	squashfs-tools	*		Up to (excluding) 4.6.1-1
	运行在以下环境
	系统	fedora_33	kernel	*		Up to (excluding) 5.14.9-100.fc33
	运行在以下环境
	系统	fedora_34	kernel	*		Up to (excluding) 5.14.9-200.fc34
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	tomcat	*		Up to (excluding) 9.0.10-22.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	squashfs-tools	*		Up to (excluding) 9.0.10-22.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP1	tomcat	*		Up to (excluding) 9.0.10-26.a.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	tomcat	*		Up to (excluding) 9.0.10-22.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	squashfs-tools	*		Up to (excluding) 9.0.10-22.ky10
	运行在以下环境
	系统	opensuse_Leap_15.2	tomcat-jsvc	*		Up to (excluding) 9.0.36-lp152.2.25.1
	运行在以下环境
	系统	opensuse_Leap_15.3	tomcat-jsvc	*		Up to (excluding) 9.0.36-13.1
	运行在以下环境
	系统	suse_12_SP5	tomcat-el-3_0-api	*		Up to (excluding) 9.0.36-3.71.1
	运行在以下环境
	系统	ubuntu_18.04.5_lts	squashfs-tools	*		Up to (excluding) 1:4.3-6ubuntu0.18.04.4