RubySec

Providing security resources for the Ruby community

CVE-2015-1585 (fat_free_crm): Fat Free CRM Gem being vulnerable to CSRF-type attacks

ADVISORIES

GEM

fat_free_crm

SEVERITY

CVSS v2: 6.8

PATCHED VERSIONS

  • >= 0.13.6

DESCRIPTION

Fat Free CRM contains a flaw as HTTP requests to /admin/users do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to creating administrative users.