CVE-2019-10226
published 2019-06-10CVE-2019-10226: HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor…
PriorityP336medium5.4CVSS 3.0
AVNACLPRNUIRSUCLILAN
EXPLOIT
EPSS
4.70%
90.7th percentile
HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fatfreecrm | fat_free_crm | — | — |
| fatfreecrm | fat_free_crm | 0 – 0.19.0 | — |
CVSS provenance
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.htmlhttps://apidock.com/rails/ActionView/Helpers/TextHelper/simple_formathttps://github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.haml#L2https://github.com/fatfreecrm/fat_free_crm/issues/1235https://www.exploit-db.com/exploits/46617/http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.htmlhttps://apidock.com/rails/ActionView/Helpers/TextHelper/simple_formathttps://github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.haml#L2https://github.com/fatfreecrm/fat_free_crm/issues/1235https://www.exploit-db.com/exploits/46617/
2019-06-10
Published