cbcvebase.

Fatfreecrm Fat Free Crm vulnerabilities

11 known vulnerabilities affecting fatfreecrm/fat_free_crm.

Total CVEs
11
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
MEDIUM11

Vulnerabilities

Page 1 of 1
CVE-2019-10226P3MEDIUMCVSS 5.4PoCv0.19.02019-06-10
CVE-2019-10226 [MEDIUM] CWE-79 CVE-2019-10226: HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authent HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.
ghsanvd
CVE-2013-7225P3MEDIUMCVSS 6.5≤ 0.12.0v0.9.6+8 more2014-01-02
CVE-2013-7225 [MEDIUM] CWE-89 CVE-2013-7225: Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.
ghsanvdosv
CVE-2022-39281P4MEDIUMCVSS 6.5fixed in 0.20.12022-10-08
CVE-2022-39281 [MEDIUM] CWE-20 CVE-2022-39281: fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). In fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit `c85a254` and will be available in release `0.20.1`. Users are advised to u
ghsanvdosv
CVE-2013-7223P4MEDIUMCVSS 6.8≤ 0.12.0v0.9.6+8 more2014-01-02
CVE-2013-7223 [MEDIUM] CWE-352 CVE-2013-7223: Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remot Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controllers/application_controller.rb.
ghsanvdosv
CVE-2015-1585P4MEDIUMCVSS 6.8≤ 0.13.52015-02-19
CVE-2015-1585 [MEDIUM] CWE-352 CVE-2015-1585: Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) atta Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) attacks via a request without the authenticity_token, as demonstrated by a crafted HTML page that creates a new administrator account.
ghsanvdosv
CVE-2018-1000842P4MEDIUM≥ 0, < 0.14.2≥ 0.15.0, < 0.15.2+3 more2018-12-20
CVE-2018-1000842 [MEDIUM] CWE-79 Fat Free CRM vulnerable to Cross-site Scripting Fat Free CRM vulnerable to Cross-site Scripting FatFreeCRM version `=0.15.0 =0.16.0 =0.17.0 <=0.17.2`, and `==0.18.0` contains a Cross Site Scripting (XSS) vulnerability in [commit 6d60bc8ed010c4eda05d6645c64849f415f68d65](https://github.com/asteinhauser/fat_free_crm/commit/306f940b26ccf3f406665f07bece1229a7a5dcfa) that can result in Javascript execution. This attack appears to be exploitable via Content with Javas
ghsaosv
CVE-2013-7222P4MEDIUMCVSS 5.0≤ 0.12.0v0.9.6+8 more2014-01-02
CVE-2013-7222 [MEDIUM] CWE-310 CVE-2013-7222: config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Applicatio config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.
ghsanvdosv
CVE-2018-20975P4MEDIUMCVSS 6.1fixed in 0.18.12019-08-20
CVE-2018-20975 [MEDIUM] CWE-79 CVE-2018-20975: Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb. Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.
ghsanvdosv
CVE-2013-7249P4MEDIUMCVSS 5.0≤ 0.12.0v0.9.6+8 more2014-01-02
CVE-2013-7249 [MEDIUM] CVE-2013-7249: Fat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obt Fat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.xml, a different vulnerability than CVE-2013-7224.
ghsanvdosv
CVE-2013-7224P4MEDIUMCVSS 5.0≤ 0.12.0v0.9.6+8 more2014-01-02
CVE-2013-7224 [MEDIUM] CWE-200 CVE-2013-7224: Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to ob Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json.
ghsanvdosv
CVE-2014-5441P4MEDIUMCVSS 4.3≤ 0.13.0v0.11.1+4 more2014-09-12
CVE-2014-5441 [MEDIUM] CWE-79 CVE-2014-5441: Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fa Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name in a (a) create or (b) edit user action.
ghsanvdosv
Fatfreecrm Fat Free Crm vulnerabilities | cvebase