ADVISORIES
- CVE-2013-7223 (NVD)
- GHSA-mcvq-7xjq-46x6
- OSVDB-101446
GEM
SEVERITY
CVSS v2.0: 6.8 (Medium)
PATCHED VERSIONS
- >= 0.13.0
- ~> 0.12.1
DESCRIPTION
Fat Free CRM contains a flaw as the application is missing the protect_from_forgery statement, therefore HTTP requests to app/controllers/application_controller.rb do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform unspecified actions.