RubySec

Providing security resources for the Ruby community

CVE-2013-7223 (fat_free_crm): Fat Free CRM Gem for Ruby contains multiple cross-site request forgery (CSRF) vulnerabilities

ADVISORIES

GEM

fat_free_crm

SEVERITY

CVSS v2: 6.8 (Medium)

PATCHED VERSIONS

  • >= 0.13.0
  • ~> 0.12.1

DESCRIPTION

Fat Free CRM contains a flaw as the application is missing the protect_from_forgery statement, therefore HTTP requests to app/controllers/application_controller.rb do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform unspecified actions.