CVE-2015-1585

🗓️ 19 Feb 2015 15:00:00Reported by mitreType

cve

cve🔗 web.nvd.nist.gov👁 69 Views🌐 WEB

Fat Free CRM before 0.13.6 allows CSRF attacks via crafted HTML page

Reporter	Title	Published	Views	Family All 12
0day.today	Fat Free CRM 0.13.5 Cross Site Request Forgery Vulnerability	16 Feb 201500:00	–	zdt
CNVD	Fat Free CRM Cross-Site Request Forgery Vulnerability	21 Feb 201500:00	–	cnvd
Cvelist	CVE-2015-1585	19 Feb 201515:00	–	cvelist
EUVD	EUVD-2022-5667	3 Oct 202520:07	–	euvd
Github Security Blog	Fat Free CRM Cross-Site Request Forgery vulnerability	14 May 202202:49	–	github
NVD	CVE-2015-1585	19 Feb 201515:59	–	nvd
OSV	GHSA-WX7C-8J35-MPG8 Fat Free CRM Cross-Site Request Forgery vulnerability	14 May 202202:49	–	osv
Packet Storm	Fat Free CRM 0.13.5 Cross Site Request Forgery	16 Feb 201500:00	–	packetstorm
Prion	Cross site request forgery (csrf)	19 Feb 201515:59	–	prion
RubySec	Fat Free CRM Gem being vulnerable to CSRF-type attacks	16 Feb 201500:00	–	rubygems

NVD

Node

fatfreecrm fat_free_crmRange≤0.13.5

Source	Link
exchange	www.exchange.xforce.ibmcloud.com/vulnerabilities/100925
github	www.github.com/fatfreecrm/fat_free_crm/wiki/CSRF-Vulnerability-%28CVE-2015-1585%29
packetstormsecurity	www.packetstormsecurity.com/files/130410/Fat-Free-CRM-0.13.5-Cross-Site-Request-Forgery.html
securityfocus	www.securityfocus.com/archive/1/534709/100/0/threaded

Parameter	Position	Path	Description	CWE
user[username]	request body	/admin/users	CSRF-allowing creation of an administrator account via POST to /admin/users when authenticity_token is optional	CWE-352
user[email]	request body	/admin/users	CSRF-allowing creation of an administrator account via POST to /admin/users when authenticity_token is optional	CWE-352
user[password]	request body	/admin/users	CSRF-allowing creation of an administrator account via POST to /admin/users when authenticity_token is optional	CWE-352
user[password_confirmation]	request body	/admin/users	CSRF-allowing creation of an administrator account via POST to /admin/users when authenticity_token is optional	CWE-352
user[admin]	request body	/admin/users	CSRF-allowing creation of an administrator account via POST to /admin/users when authenticity_token is optional	CWE-352

17 Jun 2026 00:22Current

6.5Medium risk

Vulners AI Score6.5

CVSS 26.8

EPSS0.01094

security csrf fat free crm cve-2015-1585 nvd