Lucene search

GitHub Advisory DatabaseGHSA-WCFX-3M6V-4FRG

HistoryMay 17, 2022 - 4:35 a.m.

Fat Free CRM subject to Cross-site Scripting

2022-05-1704:35:23

CWE-79

GitHub Advisory Database

github.com

cross-site scripting

vulnerabilities

remote attackers

web script

html

user action

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.002

Percentile

60.8%

JSON

Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name in a (a) create or (b) edit user action.

Affected configurations

Vulners

Node

fatfreecrmfat_free_crmRange0.11.1–0.13.3

VendorProductVersionCPE
fatfreecrmfat_free_crm*cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fatfreecrm	fat_free_crm	*	cpe:2.3:a:fatfreecrm:fat_free_crm::::::::

References

packetstormsecurity.com/files/127978/Fatt-Free-CRM-Cross-Site-Scripting.html

github.com/advisories/GHSA-wcfx-3m6v-4frg

github.com/fatfreecrm/fat_free_crm/commit/95464495f1e3e714d5c295fe621af5d2e0d4238d

github.com/fatfreecrm/fat_free_crm/wiki/XSS-vulnerability-%2826th-August-2014%29

nvd.nist.gov/vuln/detail/CVE-2014-5441

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.002

Percentile

60.8%

JSON

Related for GHSA-WCFX-3M6V-4FRG