Fat Free Crm Security Vulnerabilities and Issues — Fat Free Crm CVE List

Lucene search

FatfreecrmFat Free Crm

10 matches found

CVE•added 2019/06/10 11:29 p.m.•108 views

CVE-2019-10226

HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mech...

5.4CVSS5.2AI score0.02501EPSS

CVE•added 2022/10/08 1:15 a.m.•79 views

CVE-2022-39281

fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit c85a254 and will be a...

6.5CVSS6.3AI score0.02489EPSS

CVE•added 2015/02/19 3:59 p.m.•60 views

CVE-2015-1585

Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) attacks via a request without the authenticity_token, as demonstrated by a crafted HTML page that creates a new administrator account.

6.8CVSS6.5AI score0.00283EPSS

CVE•added 2019/08/20 1:15 p.m.•60 views

CVE-2018-20975

Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.

6.1CVSS5.9AI score0.00301EPSS

CVE•added 2014/09/12 2:55 p.m.•46 views

CVE-2014-5441

Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name in a (a) create or (b) edit user action.

4.3CVSS5.8AI score0.00296EPSS

CVE•added 2014/01/02 2:59 p.m.•45 views

CVE-2013-7249

Fat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.xml, a different vulnerability than CVE-2013-7224.

5CVSS6.1AI score0.00667EPSS

CVE•added 2014/01/02 2:59 p.m.•44 views

CVE-2013-7224

Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json.

5CVSS6.1AI score0.0059EPSS

CVE•added 2014/01/02 2:59 p.m.•43 views

CVE-2013-7225

Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.

6.5CVSS8.3AI score0.01147EPSS

CVE•added 2014/01/02 2:59 p.m.•41 views

CVE-2013-7222

config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.

5CVSS6.8AI score0.00873EPSS

CVE•added 2014/01/02 2:59 p.m.•41 views

CVE-2013-7223

Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controllers/application_controller.rb.

6.8CVSS7.4AI score0.00522EPSS