CVE-2022-0269 — Cross-Site Request Forgery in yetiforce

Description

Versions of yetiforce 6.3.0 and prior are subject to privilege escalation via a cross site request forgery bug. This allows an attacker to create a new admin account even with SameSite: Strict enabled. This vulnerability can be exploited by any user on the system including guest users.

How to fix CVE-2022-0269

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-0269 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 6.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-0269
WEBgithub.com/yetiforcecompany/yetiforcecrm
WEBgithub.com/yetiforcecompany/yetiforcecrm/commit/298c7870e6fe4332d8aa1757a9c8d79f841389ff
WEBhuntr.dev/bounties/a0470915-f6df-45b8-b3a2-01aebe764df0