Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nbWc1LXIzYzQtM2ZtOc4AAg9y

Withdrawn Advisory: Fat Free CRM Cross-site Scripting vulnerability

Withdrawn

This advisory has been withdrawn because the CVE has been disputed and the underlying vulnerability is likely invalid. This link is maintained to preserve external references.

According to maintainers of Fat Free CRM, the CRM comment feature allows certain HTML markup, but santizes the output when rendered to page. This allows safe tags (such as <h1> which the author tested and reported as a vulnerability) but correctly disallows <script> tags and other dangerous entities.

Original Description

HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.

Permalink: https://github.com/advisories/GHSA-gmg5-r3c4-3fm9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nbWc1LXIzYzQtM2ZtOc4AAg9y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 month ago

Widthdrawn: about 1 month ago

CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-gmg5-r3c4-3fm9, CVE-2019-10226
References: Repository: https://github.com/fatfreecrm/fat_free_crm

Affected Packages

rubygems:fat_free_crm
Dependent packages: 6
Dependent repositories: 40
Downloads: 89,898 total
Affected Version Ranges: <= 0.19.0
No known fixed version
All affected versions: 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.17.1, 0.17.2, 0.17.3, 0.18.0, 0.18.1, 0.18.2, 0.19.0