CVE-2018-1000842
published 2018-12-20CVE-2018-1000842: FatFreeCRM version =0.15.0 =0.16.0 =0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
1.69%
74.2th percentile
FatFreeCRM version =0.15.0 =0.16.0 =0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appear to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fatfreecrm | fat_free_crm | >= 0 < 0.14.2 | 0.14.2 |
| fatfreecrm | fat_free_crm | >= 0.15.0 < 0.15.2 | 0.15.2 |
| fatfreecrm | fat_free_crm | >= 0.16.0 < 0.16.4 | 0.16.4 |
| fatfreecrm | fat_free_crm | >= 0.17.0 < 0.17.3 | 0.17.3 |
| fatfreecrm | fat_free_crm | >= 0.18.0 < 0.18.1 | 0.18.1 |
| fatfreecrm | fatfreecrm | <= 0.14.1 | — |
| fatfreecrm | fatfreecrm | — | — |
| fatfreecrm | fatfreecrm | 0.15.0 – 0.15.1 | — |
| fatfreecrm | fatfreecrm | 0.16.0 – 0.16.3 | — |
| fatfreecrm | fatfreecrm | 0.17.0 – 0.17.2 | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Fat Free CRM vulnerable to Cross-site Scripting
ghsa·2018-12-20
CVE-2018-1000842 [MEDIUM] CWE-79 Fat Free CRM vulnerable to Cross-site Scripting
Fat Free CRM vulnerable to Cross-site Scripting
FatFreeCRM version `=0.15.0 =0.16.0 =0.17.0 <=0.17.2`, and `==0.18.0` contains a Cross Site Scripting (XSS) vulnerability in [commit 6d60bc8ed010c4eda05d6645c64849f415f68d65](https://github.com/asteinhauser/fat_free_crm/commit/306f940b26ccf3f406665f07bece1229a7a5dcfa) that can result in Javascript execution. This attack appears to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, and 0.14.2.
OSV
Fat Free CRM vulnerable to Cross-site Scripting
osv·2018-12-20
CVE-2018-1000842 [MEDIUM] Fat Free CRM vulnerable to Cross-site Scripting
Fat Free CRM vulnerable to Cross-site Scripting
FatFreeCRM version `=0.15.0 =0.16.0 =0.17.0 <=0.17.2`, and `==0.18.0` contains a Cross Site Scripting (XSS) vulnerability in [commit 6d60bc8ed010c4eda05d6645c64849f415f68d65](https://github.com/asteinhauser/fat_free_crm/commit/306f940b26ccf3f406665f07bece1229a7a5dcfa) that can result in Javascript execution. This attack appears to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, and 0.14.2.
No detection rules found.
No public exploits indexed.
https://github.com/asteinhauser/fat_free_crm/commit/306f940b26ccf3f406665f07bece1229a7a5dcfahttps://github.com/asteinhauser/fat_free_crm/issues/1https://github.com/fatfreecrm/fat_free_crm/wiki/XSS-Vulnerability-%282018-10-27%29https://groups.google.com/forum/#%21topic/fat-free-crm-users/TxsdZXSe7Jchttps://github.com/asteinhauser/fat_free_crm/commit/306f940b26ccf3f406665f07bece1229a7a5dcfahttps://github.com/asteinhauser/fat_free_crm/issues/1https://github.com/fatfreecrm/fat_free_crm/wiki/XSS-Vulnerability-%282018-10-27%29https://groups.google.com/forum/#%21topic/fat-free-crm-users/TxsdZXSe7Jc
2018-12-20
Published