RubySec

Providing security resources for the Ruby community

CVE-2013-7222 (fat_free_crm): Fat Free CRM Gem for Ruby lack of support for cycling the Rails session secret

ADVISORIES

GEM

fat_free_crm

SEVERITY

CVSS v2.0: 5.0 (Medium)

PATCHED VERSIONS

  • >= 0.13.0
  • ~> 0.12.1

DESCRIPTION

Fat Free CRM contains a flaw that is due to the application defining a static security session token in config/initialiers/secret_token.rb. If a remote attacker has explicit knowledge of this token, they can potentially execute arbitrary code.