Lucene search

RubySecRUBY:FAT_FREE_CRM-2013-7225-101448

HistoryDec 23, 2013 - 8:00 p.m.

Fat Free CRM Gem for Ruby allows remote attackers to inject or manipulate SQL queries

2013-12-2320:00:00

RubySec

nvd.nist.gov

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.004

Percentile

73.4%

JSON

Fat Free CRM contains a flaw that may allow carrying out an SQL injection
attack. The issue is due to the app/controllers/home_controller.rb script
not properly sanitizing user-supplied input to the ‘state’ parameter or
input passed via comments and emails. This may allow a remote attacker to
inject or manipulate SQL queries in the back-end database, allowing for
the manipulation or disclosure of arbitrary data.

Affected configurations

Vulners

Node

rubyfat_free_crmRange≤0.13.0

rubyfat_free_crmRange0.12.0–0.12.1

VendorProductVersionCPE
rubyfat_free_crm*cpe:2.3:a:ruby:fat_free_crm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	fat_free_crm	*	cpe:2.3:a:ruby:fat_free_crm::::::::

References

nvd.nist.gov/vuln/detail/CVE-2013-7225

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.004

Percentile

73.4%

JSON

Related for RUBY:FAT_FREE_CRM-2013-7225-101448