fat_free_crm 0.15.0
Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint
medium severity CVE-2022-39281>= 0.20.1
Impact
An authenticated user can perform a remote Denial of Service attack against Fat Free CRM.
This vulnerability has been assigned the CVE identifier: CVE-2022-39281
Affected versions: All Not affected: None Fixed versions: 0.20.1
All users running an affected release should either upgrade or apply the patch immediately.
Releases
Fixed versions: 0.20.1 and above
Patches
If you are unable to upgrade immediately, you should apply the following patch.
diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb
index d3d5c32c..7cdb24d6 100644
--- a/app/models/polymorphic/task.rb
+++ b/app/models/polymorphic/task.rb
@@ -189,6 +189,7 @@ class Task < ActiveRecord::Base
#----------------------------------------------------------------------------
def self.bucket_empty?(bucket, user, view = "pending")
return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+ return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)
if view == "assigned"
assigned_by(user).send(bucket).pending.count
Fat Free CRM Cross-site Scripting vulnerability
medium severity CVE-2019-10226HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.
fat_free_crm XSS via query parameter of tags_helper method
medium severity CVE-2018-20975>= 0.18.1
Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.
fat_free_crm gem XSS vulnerability via query parameter
medium severity CVE-2018-1000842>= 0.18.1
, ~> 0.17.3
, ~> 0.16.4
, ~> 0.15.2
, ~> 0.14.2
FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appear to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.