Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID

Impact Authenticated users can delete emails imported into the system assigned to another user; where the Email Dropbox is in use. Patches Fixed in v0.26.0 Workarounds Disable use of email dropbox...

Authorization Bypass Through User-Controlled Key

Overview fatfreecrm is a customer relationship management platform. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the destroy action in app/controllers/emailscontroller.rb. An attacker can delete another user’s email record by sending...

GHSA-9PM8-VWC5-W2HM Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID

Impact Authenticated users can delete emails imported into the system assigned to another user; where the Email Dropbox is in use. Patches Fixed in v0.26.0 Workarounds Disable use of email dropbox...

EUVD-2019-0619

Malware in sbrugna...

EUVD-2022-3374

Malicious code in bioql PyPI...

EUVD-2022-5667

Malicious code in bioql PyPI...

EUVD-2022-4544

Malicious code in bioql PyPI...

EUVD-2022-3668

Malicious code in bioql PyPI...

EUVD-2022-4185

Malicious code in bioql PyPI...

EUVD-2022-7142

Malicious code in bioql PyPI...

EUVD-2022-2472

Malicious code in bioql PyPI...

EUVD-2022-5552

Malicious code in bioql PyPI...

EUVD-2022-3925

Malicious code in bioql PyPI...

CVE-2022-39281

fatfreecrm is a an open source, Ruby on Rails customer relationship management platform CRM. In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit c85a254 and will be...

CVE-2020-5203

In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code execution if developers choose to pass user controlled input e.g., $REQUEST, $GET, or $POST to the framework's Clear method...

CVE-2018-20975

Fat Free CRM before 0.18.1 has XSS in the tagshelper in app/helpers/tagshelper.rb...

Denial of Service (DoS)

Overview fatfreecrm is a customer relationship management platform. Affected versions of this package are vulnerable to Denial of Service DoS in the findallgrouped function in models/polymorphic/task.rb, by users with bucket access. Details Denial of Service DoS describes a family of attacks, all...

CVE-2022-39281

fatfreecrm is a an open source, Ruby on Rails customer relationship management platform CRM. In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit c85a254 and will be...

Fat Free CRM 输入验证错误漏洞

Fat Free CRM is an open source Ruby on Rails based customer relationship management platform. The platform includes modules for team collaboration, customer management, contact lists, customer tracking and more. Fat Free CRM Prior to version 0.20.1 An input validation error vulnerability exists,...

Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint

Impact An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. This vulnerability has been assigned the CVE identifier: CVE-2022-39281 Affected versions: All Not affected: None Fixed versions: 0.20.1 All users running an affected release should either upgrade or...