Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nbWc1LXIzYzQtM2ZtOc4AAg9y
Withdrawn Advisory: Fat Free CRM Cross-site Scripting vulnerability
Withdrawn
This advisory has been withdrawn because the CVE has been disputed and the underlying vulnerability is likely invalid. This link is maintained to preserve external references.
According to maintainers of Fat Free CRM, the CRM comment feature allows certain HTML markup, but santizes the output when rendered to page. This allows safe tags (such as <h1>
which the author tested and reported as a vulnerability) but correctly disallows <script>
tags and other dangerous entities.
Original Description
HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.
Permalink: https://github.com/advisories/GHSA-gmg5-r3c4-3fm9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nbWc1LXIzYzQtM2ZtOc4AAg9y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 month ago Widthdrawn: about 1 month ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-gmg5-r3c4-3fm9, CVE-2019-10226
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10226
- http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fat_free_crm/CVE-2019-10226.yml
- https://github.com/fatfreecrm/fat_free_crm/issues/1235
- https://github.com/github/advisory-database/pull/3599
- https://apidock.com/rails/ActionView/Helpers/TextHelper/simple_format
- https://github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.haml#L2
- https://www.exploit-db.com/exploits/46617
- https://github.com/advisories/GHSA-gmg5-r3c4-3fm9
Affected Packages
rubygems:fat_free_crm
Dependent packages: 6Dependent repositories: 40
Downloads: 89,898 total
Affected Version Ranges: <= 0.19.0
No known fixed version
All affected versions: 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.14.0, 0.14.1, 0.14.2, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.17.1, 0.17.2, 0.17.3, 0.18.0, 0.18.1, 0.18.2, 0.19.0