Contents

---
gem: fat_free_crm
cve: 2018-1000842
url: https://github.com/fatfreecrm/fat_free_crm/wiki/XSS-Vulnerability-%282018-10-27%29
date: 2018-10-27
title: fat_free_crm gem XSS vulnerability via query parameter
description: |
  FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0
  <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit
  6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution.
  This attack appear to be exploitable via Content with Javascript payload will be
  executed on end user browsers when they visit the page. This vulnerability appears
  to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2.

cvss_v3: 6.1
cvss_v2: 4.3

patched_versions:
  - ">= 0.18.1"
  - ~> 0.17.3
  - ~> 0.16.4
  - ~> 0.15.2
  - ~> 0.14.2

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
bundler-audit-0.7.0.1	data/ruby-advisory-db/gems/fat_free_crm/CVE-2018-1000842.yml