CVE-2022-2890: 
PHP vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability was identified in YetiForceCRM versions prior to 6.4.0. The vulnerability was discovered and reported in August 2022, affecting the YetiForce Customer Relationship Management system (NVD, CVE).

The vulnerability is classified as a stored Cross-site Scripting (XSS) issue, identified as CVE-2022-2890. According to the National Vulnerability Database, it received a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. However, the CNA (huntr.dev) assessed it with a higher CVSS 3.0 Base Score of 9.0 (CRITICAL) with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (NVD).

The vulnerability could allow attackers to store and execute malicious scripts in the application, potentially leading to unauthorized access to sensitive information, session hijacking, or manipulation of web content. The impact severity ranges from medium to critical based on different assessments (NVD).

The vulnerability has been patched in YetiForceCRM version 6.4.0. Users are advised to upgrade to this version or later to mitigate the risk. The fix was implemented through a commit in the YetiForce repository (GitHub Patch).