ADVISORIES
- CVE-2015-1585 (NVD)
- GHSA-wx7c-8j35-mpg8
- OSVDB-118465
GEM
SEVERITY
CVSS v2.0: 6.8 (Medium)
PATCHED VERSIONS
- >= 0.13.6
DESCRIPTION
Fat Free CRM contains a flaw as HTTP requests to /admin/users do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to creating administrative users.