CVE-2014-5441 (fat_free_crm): Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability

Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability

Published: August 22, 2014

SECURITY IDENTIFIERS

CVE: CVE-2014-5441 (NVD)
GHSA: GHSA-wcfx-3m6v-4frg
OSVDB: OSVDB-110420

GEM

fat_free_crm

SEVERITY

CVSS v2.0: 4.3 (Medium)

UNAFFECTED VERSIONS

<= 0.11.0

PATCHED VERSIONS

>= 0.13.3

DESCRIPTION

Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability. When a user is created/updated using a specifically crafted username, first name or last name, it is possible for arbitrary javascript to be executed on all Fat Free CRM pages. This code would be executed for all logged in users.

RubySec