Fat Free CRM Cross Site Scripting

Type packetstorm
Reporter Ankit Bharathan
Modified 2014-08-31T00:00:00


                                            `# Affected software:  
Fatt Free CRM - URL: http://www.fatfreecrm.com/  
# Discovered by:  
Ankit Bharathan  
# Type of vulnerability: XSS Stored  
# Fat Free CRM is an open source  
Ruby on Rails-based customer relationship management platform. Out of the  
box it features group collaboration, campaign and lead management, contact  
lists, and opportunity tracking.  
# Description: Fat Free CRM is prone to a Persistent Cross Site Scripting  
attack that allows a malicious user to inject HTML or scripts that can  
access any cookies, session tokens, or other  
sensitive information retained by your browser and used with that site.  
# Proof of concept:  
1> Go to  
2> go to edit profile.  
3> Fill the  
alternate email  
with a javascript payload eg:  
4> save it and reload the page. the javascript payload gets executed  
Best Regards,  
*Ankit Bharathan.*  
*Save Energy... Save Nature... Go Green...*  
P *Consider the environment. Please don't print this e-mail unless  
absolutely necessary.*