Lucene search

GitHub Advisory DatabaseGHSA-4XQ9-VW89-P5CX

HistoryMay 17, 2022 - 4:55 a.m.

Fat Free CRM allows remote attackers to obtain sensitive information via a direct request

2022-05-1704:55:27

CWE-200

GitHub Advisory Database

github.com

fat free crm

remote attackers

sensitive information

json serialization

direct request

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.007

Percentile

80.6%

JSON

Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json.

Affected configurations

Vulners

Node

fatfreecrmfat_free_crmRange<0.12.1

VendorProductVersionCPE
fatfreecrmfat_free_crm*cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fatfreecrm	fat_free_crm	*	cpe:2.3:a:fatfreecrm:fat_free_crm::::::::

References

openwall.com/lists/oss-security/2013/12/28/2

seclists.org/fulldisclosure/2013/Dec/199

github.com/advisories/GHSA-4xq9-vw89-p5cx

github.com/fatfreecrm/fat_free_crm/commit/cf26a04b356ad2161c4c6160260eb870a3de5328

github.com/fatfreecrm/fat_free_crm/issues/300

github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29

nvd.nist.gov/vuln/detail/CVE-2013-7224

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.007

Percentile

80.6%

JSON

Related for GHSA-4XQ9-VW89-P5CX