fat_free_crm 0.19.0
Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint
medium severity CVE-2022-39281>= 0.20.1
Impact
An authenticated user can perform a remote Denial of Service attack against Fat Free CRM.
This vulnerability has been assigned the CVE identifier: CVE-2022-39281
Affected versions: All Not affected: None Fixed versions: 0.20.1
All users running an affected release should either upgrade or apply the patch immediately.
Releases
Fixed versions: 0.20.1 and above
Patches
If you are unable to upgrade immediately, you should apply the following patch.
diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb
index d3d5c32c..7cdb24d6 100644
--- a/app/models/polymorphic/task.rb
+++ b/app/models/polymorphic/task.rb
@@ -189,6 +189,7 @@ class Task < ActiveRecord::Base
#----------------------------------------------------------------------------
def self.bucket_empty?(bucket, user, view = "pending")
return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+ return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)
if view == "assigned"
assigned_by(user).send(bucket).pending.count
Fat Free CRM Cross-site Scripting vulnerability
medium severity CVE-2019-10226HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.