fat_free_crm
RubyGems10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting fat_free_crmpage 1 of 1
- CVE-2013-7222NONECVSS 0.0EG 0.0✓ Fixed in 0.12.12014-01-02
vulnerable: 0.11.0 ... 0.12.0 (6 versions)
config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.
- CVE-2013-7223NONECVSS 0.0EG 0.0✓ Fixed in 0.12.12014-01-02
vulnerable: 0.11.0 ... 0.12.0 (6 versions)
Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in …
- CVE-2013-7224NONECVSS 0.0EG 0.0✓ Fixed in 0.12.12014-01-02
vulnerable: 0.11.0 ... 0.12.0 (6 versions)
Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json.
- CVE-2013-7225NONECVSS 0.0EG 0.0✓ Fixed in 0.12.12014-01-02
vulnerable: 0.11.0 ... 0.12.0 (6 versions)
Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.
- CVE-2013-7249NONECVSS 0.0EG 0.0✓ Fixed in 0.12.12014-01-02
vulnerable: 0.11.0 ... 0.12.0 (6 versions)
Fat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.xml, a different vulnerability than CVE-2013-7224.
- CVE-2014-5441NONECVSS 0.0EG 0.0✓ Fixed in 0.13.32014-09-12
vulnerable: 0.11.1 ... 0.13.2 (11 versions)
Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last na…
- CVE-2015-1585NONECVSS 0.0EG 0.0✓ Fixed in 0.13.62015-02-19
vulnerable: 0.11.0 ... 0.13.5 (15 versions)
Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) attacks via a request without the authenticity_token, as demonstrated by a crafted HTML page that creates a new administrator account.
- CVE-2018-1000842MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.18.12018-12-20
vulnerable: 0.18.0
FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. …
- CVE-2018-20975MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.18.12019-08-20
vulnerable: 0.11.0 ... 0.18.0 (33 versions)
Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.
- CVE-2022-39281MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.20.12022-10-08
vulnerable: 0.11.0 ... 0.20.0 (38 versions)
fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vu…
Check whether fat_free_crm is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for fat_free_crm CVEs against the assets you own.
Start Free Scan →