Fat Free CRM Gem for Ruby lack of support for cycling the Rails session secret
Published: December 24, 2013
SECURITY IDENTIFIERS
- CVE: CVE-2013-7222 (NVD)
- GHSA: GHSA-g897-cgfc-7q8v
- OSVDB: OSVDB-101445
GEM
SEVERITY
CVSS v2.0: 5.0 (Medium)
PATCHED VERSIONS
>= 0.13.0
~> 0.12.1
DESCRIPTION
Fat Free CRM contains a flaw that is due to the application defining a static security session token in config/initialiers/secret_token.rb. If a remote attacker has explicit knowledge of this token, they can potentially execute arbitrary code.