Home > Vulnerability Database > WS-2022-0353

Mend.io Vulnerability Database

WS-2022-0353

Good to know:

Date: September 19, 2022

User can get details of the comments that were deleted in yetiforcecompany/yetiforcecrm. When a user creates a new record he can add a comment on it. The user is also able to delete the comments after which the user wont be having access to that comment like replying, checking what the comment was. This vulnerability allows any user to see what the deleted comment was and also to reply on that comment.

Language: PHP

Severity Score

6.5

Related Resources (2)

Url: https://github.com/yetiforcecompany/yetiforcecrm/commit/f06e50818a0cccb4c68887d2c5313fc034ebb194

Url: https://www.mend.io/vulnerability-database/WS-2022-0353

Severity Score

6.5

Weakness Type (CWE)

Execution with Unnecessary Privileges

CWE-250

Top Fix

Upgrade Version

Upgrade to version yetiforce/yetiforce-crm - dev-depfu/update/composer/phpmailer/phpmailer-6.6.3;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/overlayscrollbars-2.8.3;yetiforce/yetiforce-crm - dev-renovate/ossf-scorecard-action-1.x;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/leaflet.markercluster-1.5.1;yetiforce/yetiforce-crm - dev-renovate/umutphp-php-var-dump-check-action-2.x;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/clipboard-2.0.10;yetiforce/yetiforce-crm - dev-depfu/update/composer/zbateson/mail-mime-parser-2.4.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/datatables.net-1.11.5;yetiforce/yetiforce-crm - dev-renovate/chrome-php-chrome-1.x-lockfile;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/smarty/smarty-4.0.4;yetiforce/yetiforce-crm - dev-depfu/update/composer/smarty/smarty-4.2.0;yetiforce/yetiforce-crm - dev-depfu/batch_all/yarn/2022-05-23;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/smarty/smarty-3.1.40;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/nette/php-generator-3.6.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/overlayscrollbars-2.0.1;yetiforce/yetiforce-crm - dev-renovate/simshaun-recurr-5.x;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/illuminate/support-8.83.1;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/fortawesome/fontawesome-free-6.3.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/maximebf/debugbar-1.18.1;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/smarty/smarty-4.1.0;yetiforce/yetiforce-crm - dev-renovate/notihnio-php-multipart-form-data-parser-2.x-lockfile;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/zbateson/mail-mime-parser-2.3.0;yetiforce/yetiforce-crm - dev-depfu/update/composer/sabre/dav-4.3.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/phpmailer/phpmailer-6.6.3;yetiforce/yetiforce-crm - dev-paula-w-patch-1;yetiforce/yetiforce-crm - dev-renovate/major-vue-monorepo;yetiforce/yetiforce-crm - dev-depfu/update/composer/giggsey/libphonenumber-for-php-8.12.47;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/html2canvas-1.4.1;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/adhocore/jwt-1.1.1;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/html2canvas-1.3.3;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/gridstack-4.2.6;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/maximebf/debugbar-1.17.1;yetiforce/yetiforce-crm - dev-renovate/zbateson-mail-mime-parser-1.x-lockfile;yetiforce/yetiforce-crm - dev-renovate/char0n-swagger-editor-validate-1.x;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/symfony/filesystem-5.4.5;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/fullcalendar-6.0.1;yetiforce/yetiforce-crm - dev-depfu/update/yarn/datatables.net-1.11.1;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/twig/twig-3.3.3;yetiforce/yetiforce-crm - dev-renovate/fullcalendar-5.x;yetiforce/yetiforce-crm - dev-depfu/update/yarn/html2canvas-1.3.3;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/abraham/twitteroauth-3.1.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/illuminate/support-8.55.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/flag-icon-css-4.1.6;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/simshaun/recurr-5.0.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/quasar-2.1.5;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/parsecsv/php-parsecsv-1.3.0;yetiforce/yetiforce-crm - dev-depfu/update/composer/sabre/dav-4.2.1;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/perfect-scrollbar-1.5.2;yetiforce/yetiforce-crm - 6.5.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/fortawesome/fontawesome-free-6.5.2;yetiforce/yetiforce-crm - dev-renovate/zbateson-mail-mime-parser-2.x;yetiforce/yetiforce-crm - dev-depfu/update/composer/webklex/php-imap-5.3.0;yetiforce/yetiforce-crm - dev-renovate/github-codeql-action-digest;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/jstree-3.3.12;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/quasar-2.7.6;yetiforce/yetiforce-crm - dev-depfu/update/yarn/html2canvas-1.1.3;yetiforce/yetiforce-crm - dev-renovate/paambaati-codeclimate-action-3.x;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/maximebf/debugbar-1.17.2;yetiforce/yetiforce-crm - dev-snyk-fix-176bd4a5c5168482b4b7143af5062ad2;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/datatables.net-1.11.1;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/fullcalendar-6.1.4;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/fullcalendar-5.9.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/floatthead-2.2.3;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/twig/twig-3.10.3;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/fortawesome/fontawesome-free-6.0.0;yetiforce/yetiforce-crm - dev-renovate/quasar-1.x-lockfile;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/quasar-2.5.3;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/gridstack-3.0.0;yetiforce/yetiforce-crm - dev-renovate/blueimp-file-upload-10.x-lockfile;yetiforce/yetiforce-crm - dev-snyk-fix-2efeedf570460d9a96a9e59408128f8a;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/composer/ca-bundle-1.2.11;yetiforce/yetiforce-crm - dev-snyk-fix-53ecab9f4abb900802a63b320f14595b;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/public_html/src/developer/vuex-4.0.2;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/fullcalendar-5.11.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/bootstrap-4.6.2;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/smarty/smarty-4.2.0;yetiforce/yetiforce-crm - dev-dependabot/composer/twig/twig-3.4.3;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/webklex/php-imap-4.1.1;yetiforce/yetiforce-crm - dev-depfu/update/composer/giggsey/libphonenumber-for-php-8.12.43;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/gridstack-4.4.1;yetiforce/yetiforce-crm - dev-renovate/smarty-smarty-4.x;yetiforce/yetiforce-crm - dev-developer;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/quasar-2.3.3;yetiforce/yetiforce-crm - dev-renovate/floatthead-2.x-lockfile;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/giggsey/libphonenumber-for-php-8.12.30;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/overlayscrollbars-1.13.3;yetiforce/yetiforce-crm - dev-depfu/update/yarn/datatables.net-bs4-1.11.1;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/illuminate/support-8.49.2;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/mlocati/spf-lib-3.1.2;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/gridstack-10.2.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/quasar-2.4.7;yetiforce/yetiforce-crm - dev-renovate/chart.js-4.x;yetiforce/yetiforce-crm - dev-depfu/update/composer/phpmailer/phpmailer-6.5.4;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/datatables.net-bs4-1.11.1;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/giggsey/libphonenumber-for-php-8.12.27;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/quasar-2.7.1;yetiforce/yetiforce-crm - dev-renovate/giggsey-libphonenumber-for-php-8.x-lockfile;yetiforce/yetiforce-crm - dev-depfu/update/yarn/whatwg-fetch-3.6.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/fortawesome/fontawesome-free-6.1.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/zbateson/mail-mime-parser-2.0.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/abraham/twitteroauth-2.0.2;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/moment-2.29.4;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/chart.js-and-chartjs-plugin-datalabels-3.7.1;yetiforce/yetiforce-crm - dev-renovate/league-climate-3.x;yetiforce/yetiforce-crm - dev-depfu/update/composer/yetiforce/csrf-magic-1.1.7;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/ezyang/htmlpurifier-4.17.0;yetiforce/yetiforce-crm - dev-depfu/update/composer/composer/ca-bundle-1.3.3;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/gridstack-7.0.1;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/datatables.net-responsive-bs4-2.4.0;yetiforce/yetiforce-crm - dev-depfu/update/composer/phpoffice/phpspreadsheet-1.24.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/giggsey/libphonenumber-for-php-8.12.35;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/datatables.net-bs4-1.13.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/html2canvas-1.1.1;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/illuminate/support-8.47.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/nette/php-generator-3.6.7;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/globalcitizen/php-iban-4.2.3;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/chrome-php/chrome-1.7.1;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/select2-theme-bootstrap4-1.0.2;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/smarty/smarty-4.0.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/ezyang/htmlpurifier-4.16.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/ckeditor/ckeditor-4.20.1;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/composer/ca-bundle-1.5.0;yetiforce/yetiforce-crm - dev-depfu/update/yarn/leaflet.markercluster-1.5.1;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/fullcalendar-5.10.1;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/giggsey/libphonenumber-for-php-8.12.52;yetiforce/yetiforce-crm - dev-depfu/update/composer/twig/twig-3.6.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/gridstack-5.1.1;yetiforce/yetiforce-crm - dev-depfu/batch_all/yarn/2022-04-04;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/zbateson/mail-mime-parser-1.3.2;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/setasign/fpdi-2.6.0;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/illuminate/support-8.64.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/overlayscrollbars-2.1.0;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/vue-3.2.31;yetiforce/yetiforce-crm - dev-depfu/update/composer/giggsey/libphonenumber-for-php-8.12.44;yetiforce/yetiforce-crm - dev-renovate/ezyang-htmlpurifier-4.x-lockfile;yetiforce/yetiforce-crm - dev-dependabot/npm_and_yarn/developer/fortawesome/fontawesome-free-6.2.1;yetiforce/yetiforce-crm - dev-dependabot/composer/developer/phpoffice/phpspreadsheet-1.16.0;roave/you-are-using-it-wrong - dev-dependabot/composer/composer/composer-2.0.8;wyrihaximus/to-x-or-not-to-x - dev-dependabot/composer/cakephp/collection-4.1.6

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2022-0353

Good to know:

Date: September 19, 2022

Language: PHP

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?