Reporter Ankit Bharathan
`# Affected software:
Fatt Free CRM - URL: http://www.fatfreecrm.com/
# Discovered by:
# Type of vulnerability: XSS Stored
# Fat Free CRM is an open source
Ruby on Rails-based customer relationship management platform. Out of the
box it features group collaboration, campaign and lead management, contact
lists, and opportunity tracking.
# Description: Fat Free CRM is prone to a Persistent Cross Site Scripting
attack that allows a malicious user to inject HTML or scripts that can
access any cookies, session tokens, or other
sensitive information retained by your browser and used with that site.
# Proof of concept:
1> Go to
2> go to edit profile.
3> Fill the
*Save Energy... Save Nature... Go Green...*
P *Consider the environment. Please don't print this e-mail unless