CVE-2023-49508: 
PHP vulnerability analysis and mitigation

A Directory Traversal vulnerability (CVE-2023-49508) was discovered in YetiForceCompany YetiForceCRM versions 6.4.0 and earlier. The vulnerability was identified in July 2023 and allows remote authenticated attackers to obtain sensitive information via the license parameter in the LibraryLicense.php component (NVD, Research).

The vulnerability exists in the LibraryLicense.php component within the Settings/Dependencies/views directory. The issue stems from improper sanitization of the license parameter, allowing attackers to use '../../../' in the parameter value. While the application appends '.txt' to the end of the string before reading the file, this still allows unauthorized access to .txt files through directory traversal. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows authenticated attackers to read arbitrary .txt files on the system through directory traversal, potentially exposing sensitive information stored in text files outside the intended directory structure (Research).

A patch has been released to address this vulnerability. The fix includes improved validation of file paths and implementation of proper security checks. Users should upgrade to a version newer than 6.4.0. The patch can be found in commit ba3a348 which improves the loading of details and licenses of dependent libraries (GitHub Patch).