fat_free_crm XSS via query parameter of tags_helper method
Published: August 21, 2019
SECURITY IDENTIFIERS
- CVE: CVE-2018-20975 (NVD)
- GHSA: GHSA-4p8f-mmfj-r45g
- Vendor Advisory: https://github.com/fatfreecrm/fat_free_crm/commit/6d60bc8ed010c4eda05d6645c64849f415f68d65
GEM
SEVERITY
CVSS v3.x: 6.1 (Medium)
PATCHED VERSIONS
>= 0.18.1
DESCRIPTION
Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.