Yetiforcecrm: Vulnerabilities in libraries

Created on 18 Sep 2020 · 4Comments · Source: YetiForceCompany/YetiForceCRM

Hello,
probably many of YetiForce users [only administrators] received the following system warning:

Vulnerabilities in libraries
Vulnerabilities in libraries were detected, it is recommended to update them quickly.
Vulnerabilities:
sabberworm/php-css-parser(8.3.0):
Code injection vulnerability in allSelectors() CVE-2020-13756

This way you can see how our security control mechanism in YetiForce works. You don't need to worry about this alert as it is related to the functions that we do not use in the PDF library, however, we will prepare a fix next week.

How do you like such a security control mechanism?

security vulnerability

Source

KatarzynaUlichnowska

❤1 👍1

Most helpful comment

It would be much better if you tracked those vulnerabilities yourself and fixed it when necessary. Yetiforce could check for new updates and alert those or even have automatic updates.
That way you would have less effort for creating new versions and giving support.

But I also want to tell you that you are doing a great job. Thank you for your work. I work with a local NGO in South Sudan and for us it is exactly the right thing.

scherieble on 22 Sep 2020

🚀1 ❤1

All 4 comments

The message leaves me with a mixed feeling, as no fix is provided. On one side, I find it a good idea. On the other side I don't know what to do with the message (in general), i.e., if I should take any steps until you provide a fix.

diderich on 18 Sep 2020

Would it be possible to add to the message a list of what versions of Yetiforce fix the issue?

staples1347 on 19 Sep 2020

👍1

But I also want to tell you that you are doing a great job. Thank you for your work. I work with a local NGO in South Sudan and for us it is exactly the right thing.

scherieble on 22 Sep 2020

🚀1 ❤1

https://github.com/YetiForceCompany/UpdatePackages/tree/developer/YetiForce%20CRM%205.x.x/5.3.0_SecurityFix