Skip to content

XSS Vulnerability (2018 10 27)

Steve Kenworthy edited this page Oct 27, 2018 · 1 revision

A Javascript cross-site scripting (XSS) vulnerability has been found and fixed in Fat Free CRM. You are strongly encouraged to update your installation.

Affects: <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 <=0.17.2, ==0.18.0

Fixed versions: 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2

Impact

Javascript embedded in tags used to categorize content inside Fat Free CRM was bypassing the standard html escaping protocols built into the system.

For more general reading on the impact of XSS vulnerabilities, please see https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Patches

For those needing to patch manually, please apply the following commit:

https://github.com/fatfreecrm/fat_free_crm/commit/6d60bc8ed010c4eda05d6645c64849f415f68d65

Credits

Antonin Steinhauser (github: steinhause) for reporting an XSS vulnerability in the app/helpers/tag_helper.rb file.

Responsible disclosure policy

Please report issues to security@fatfreecrm.com. We will work with you to understand the issue and how we can fix it. Please do not disclose the issue publicly until it has been resolved and released. We're more than willing to give you credit for discovering the issue, once it has been patched and announced, but until then we ask that you consider the security implications of the issue you have found and the impact on others using an un-patched system.

Further details can be found here: https://github.com/fatfreecrm/fat_free_crm/wiki/Security

Clone this wiki locally