fat_free_crm 0.13.5

5 security vulnerabilities found in version 0.13.5

Fat Free CRM Gem being vulnerable to CSRF-type attacks

high severity CVE-2015-1585
high severity CVE-2015-1585
Patched versions: >= 0.13.6

Fat Free CRM contains a flaw as HTTP requests to /admin/users do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to creating administrative users.

Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint

medium severity CVE-2022-39281
medium severity CVE-2022-39281
Patched versions: >= 0.20.1

Impact

An authenticated user can perform a remote Denial of Service attack against Fat Free CRM.

This vulnerability has been assigned the CVE identifier: CVE-2022-39281

Affected versions: All Not affected: None Fixed versions: 0.20.1

All users running an affected release should either upgrade or apply the patch immediately.

Releases

Fixed versions: 0.20.1 and above

Patches

If you are unable to upgrade immediately, you should apply the following patch.

diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb
index d3d5c32c..7cdb24d6 100644
--- a/app/models/polymorphic/task.rb
+++ b/app/models/polymorphic/task.rb
@@ -189,6 +189,7 @@ class Task < ActiveRecord::Base
   #----------------------------------------------------------------------------
   def self.bucket_empty?(bucket, user, view = "pending")
     return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+    return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)

     if view == "assigned"
       assigned_by(user).send(bucket).pending.count

Fat Free CRM Cross-site Scripting vulnerability

medium severity CVE-2019-10226
medium severity CVE-2019-10226

HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.

fat_free_crm XSS via query parameter of tags_helper method

medium severity CVE-2018-20975
medium severity CVE-2018-20975
Patched versions: >= 0.18.1

Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.

fat_free_crm gem XSS vulnerability via query parameter

medium severity CVE-2018-1000842
medium severity CVE-2018-1000842
Patched versions: >= 0.18.1, ~> 0.17.3, ~> 0.16.4, ~> 0.15.2, ~> 0.14.2

FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appear to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.