Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: fat_free_crm
date: 2018-10-27
url: https://github.com/fatfreecrm/fat_free_crm/wiki/XSS-Vulnerability-%282018-10-27%29
cve: 2018-1000842
title: fat_free_crm gem XSS vulnerability via query parameter
description: |
  FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0
  <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit
  6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution.
  This attack appear to be exploitable via Content with Javascript payload will be
  executed on end user browsers when they visit the page. This vulnerability appears
  to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2.
cvss_v2: '4.3'
cvss_v3: '6.1'
patched_versions:
- ">= 0.18.1"
- "~> 0.17.3"
- "~> 0.16.4"
- "~> 0.15.2"
- "~> 0.14.2"