CVE-2018-1000842
MEDIUMFatFreeCRM <=0.14.1, 0.15.0-0.15.1, 0.16.0-0.16.3, 0.17.0-0.17.2, 0.18.0 - Stored Cross-Site Scripting
Title source: llmDescription
FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appear to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
https://github.com/asteinhauser/fat_free_crm/issues/1
Patch x_refsource_misc
https://github.com/asteinhauser/fat_free_crm/commit/306f940b26ccf3f406665f07bece1229a7a5dcfa
Patch, Third Party Advisory x_refsource_misc
https://github.com/fatfreecrm/fat_free_crm/wiki/XSS-Vulnerability-%282018-10-27%29
Mailing List x_refsource_misc
https://groups.google.com/forum/#%21topic/fat-free-crm-users/TxsdZXSe7Jc
Scores
CVSS v3
6.1
EPSS
0.0044
EPSS Percentile
63.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
fatfreecrm/fatfreecrm
0.18.0
fatfreecrm/fatfreecrm
< 0.14.1
rubygems/fat_free_crm
0 - 0.14.2RubyGems
Published
Dec 20, 2018
Tracked Since
Feb 18, 2026