Lucene search

GitHub Advisory DatabaseGHSA-G897-CGFC-7Q8V

HistoryMay 17, 2022 - 4:55 a.m.

Fat Free CRM has fixed token value

2022-05-1704:55:27

CWE-330

GitHub Advisory Database

github.com

fat free crm

fixed token

remote attackers

signed cookies

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS

0.006

Percentile

79.0%

JSON

config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.

Affected configurations

Vulners

Node

fatfreecrmfat_free_crmRange<0.12.1

VendorProductVersionCPE
fatfreecrmfat_free_crm*cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
fatfreecrm	fat_free_crm	*	cpe:2.3:a:fatfreecrm:fat_free_crm::::::::

References

openwall.com/lists/oss-security/2013/12/28/2

seclists.org/fulldisclosure/2013/Dec/199

github.com/advisories/GHSA-g897-cgfc-7q8v

github.com/fatfreecrm/fat_free_crm/commit/93c182dd4c6f3620b721d2a15ba6a6ecab5669df

github.com/fatfreecrm/fat_free_crm/issues/300

github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29

github.com/rubysec/ruby-advisory-db/blob/master/gems/fat_free_crm/CVE-2013-7222.yml

nvd.nist.gov/vuln/detail/CVE-2013-7222

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

EPSS

0.006

Percentile

79.0%

JSON

Related for GHSA-G897-CGFC-7Q8V