Lucene search

GitHub Advisory DatabaseGHSA-9GGP-5RF4-X7Q9

HistoryMay 17, 2022 - 4:55 a.m.

Fat Free CRM vulnerable to SQL Injection

2022-05-1704:55:27

CWE-89

GitHub Advisory Database

github.com

fat free crm

sql injection

remote users

authenticated

arbitrary commands

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.004

Percentile

73.4%

JSON

Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.

Affected configurations

Vulners

Node

fatfreecrmfat_free_crmRange<0.12.1

VendorProductVersionCPE
fatfreecrmfat_free_crm*cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fatfreecrm	fat_free_crm	*	cpe:2.3:a:fatfreecrm:fat_free_crm::::::::

References

openwall.com/lists/oss-security/2013/12/28/2

seclists.org/fulldisclosure/2013/Dec/199

github.com/advisories/GHSA-9ggp-5rf4-x7q9

github.com/fatfreecrm/fat_free_crm/commit/078035f1ef73ed85285ac9d128c3c5f670cef066

github.com/fatfreecrm/fat_free_crm/commit/d4b2de81a4d8c1b201482edcb2488ed9280a65fd

github.com/fatfreecrm/fat_free_crm/issues/300

github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29

nvd.nist.gov/vuln/detail/CVE-2013-7225

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.004

Percentile

73.4%

JSON

Related for GHSA-9GGP-5RF4-X7Q9