fat_free_crm 0.11.2
Fat Free CRM Gem being vulnerable to CSRF-type attacks
high severity CVE-2015-1585>= 0.13.6
Fat Free CRM contains a flaw as HTTP requests to /admin/users do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to creating administrative users.
Fat Free CRM Gem for Ruby contains multiple cross-site request forgery (CSRF) vulnerabilities
high severity CVE-2013-7223>= 0.13.0, ~> 0.12.1
Fat Free CRM contains a flaw as the application is missing the protect_from_forgery statement, therefore HTTP requests to app/controllers/application_controller.rb do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform unspecified actions.
Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint
medium severity CVE-2022-39281>= 0.20.1
Impact
An authenticated user can perform a remote Denial of Service attack against Fat Free CRM.
This vulnerability has been assigned the CVE identifier: CVE-2022-39281
Affected versions: All Not affected: None Fixed versions: 0.20.1
All users running an affected release should either upgrade or apply the patch immediately.
Releases
Fixed versions: 0.20.1 and above
Patches
If you are unable to upgrade immediately, you should apply the following patch.
diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb
index d3d5c32c..7cdb24d6 100644
--- a/app/models/polymorphic/task.rb
+++ b/app/models/polymorphic/task.rb
@@ -189,6 +189,7 @@ class Task < ActiveRecord::Base
#----------------------------------------------------------------------------
def self.bucket_empty?(bucket, user, view = "pending")
return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+ return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)
if view == "assigned"
assigned_by(user).send(bucket).pending.count
Fat Free CRM Cross-site Scripting vulnerability
medium severity CVE-2019-10226HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.
fat_free_crm XSS via query parameter of tags_helper method
medium severity CVE-2018-20975>= 0.18.1
Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.
fat_free_crm gem XSS vulnerability via query parameter
medium severity CVE-2018-1000842>= 0.18.1, ~> 0.17.3, ~> 0.16.4, ~> 0.15.2, ~> 0.14.2
FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appear to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2.
Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability
medium severity CVE-2014-5441>= 0.13.3
<= 0.11.0
Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability. When a user is created/updated using a specifically crafted username, first name or last name, it is possible for arbitrary javascript to be executed on all Fat Free CRM pages. This code would be executed for all logged in users.
Fat Free CRM Gem for Ruby allows remote attackers to obtain sensitive informations
medium severity CVE-2013-7249>= 0.13.0, ~> 0.12.1
Fat Free CRM contains a flaw that is triggered when the attacker sends a direct request for XML data. This may allow a remote attacker to gain access to potentially sensitive information.
Fat Free CRM Gem for Ruby allows remote attackers to inject or manipulate SQL queries
medium severity CVE-2013-7225>= 0.13.0, ~> 0.12.1
Fat Free CRM contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the app/controllers/home_controller.rb script not properly sanitizing user-supplied input to the 'state' parameter or input passed via comments and emails. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
Fat Free CRM Gem for Ruby allows remote attackers to obtain sensitive informations
medium severity CVE-2013-7224>= 0.13.0, ~> 0.12.1
Fat Free CRM contains a flaw in user controllers that is triggered as JSON requests are rendered with a full JSON object. This may allow a remote attacker to gain access to potentially sensitive information e.g. other users password hashes.
Fat Free CRM Gem for Ruby lack of support for cycling the Rails session secret
medium severity CVE-2013-7222>= 0.13.0, ~> 0.12.1
Fat Free CRM contains a flaw that is due to the application defining a static security session token in config/initialiers/secret_token.rb. If a remote attacker has explicit knowledge of this token, they can potentially execute arbitrary code.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a AGPL-3.0-only license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.