fat_free_crm 0.20.0

2 security vulnerabilities found in version 0.20.0

Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint

medium severity CVE-2022-39281
medium severity CVE-2022-39281
Patched versions: >= 0.20.1

Impact

An authenticated user can perform a remote Denial of Service attack against Fat Free CRM.

This vulnerability has been assigned the CVE identifier: CVE-2022-39281

Affected versions: All Not affected: None Fixed versions: 0.20.1

All users running an affected release should either upgrade or apply the patch immediately.

Releases

Fixed versions: 0.20.1 and above

Patches

If you are unable to upgrade immediately, you should apply the following patch.

diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb
index d3d5c32c..7cdb24d6 100644
--- a/app/models/polymorphic/task.rb
+++ b/app/models/polymorphic/task.rb
@@ -189,6 +189,7 @@ class Task < ActiveRecord::Base
   #----------------------------------------------------------------------------
   def self.bucket_empty?(bucket, user, view = "pending")
     return false if bucket.blank? || !ALLOWED_VIEWS.include?(view)
+    return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s)

     if view == "assigned"
       assigned_by(user).send(bucket).pending.count

Fat Free CRM Cross-site Scripting vulnerability

medium severity CVE-2019-10226
medium severity CVE-2019-10226

HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.