GHSA-gmg5-r3c4-3fm9

Source

https://github.com/advisories/GHSA-gmg5-r3c4-3fm9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gmg5-r3c4-3fm9/GHSA-gmg5-r3c4-3fm9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gmg5-r3c4-3fm9

Withdrawn

2024-02-23T18:00:56Z

Published

2022-05-24T16:47:42Z

Modified

2024-02-23T18:49:10.741993Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Withdrawn Advisory: Fat Free CRM Cross-site Scripting vulnerability

Details

Withdrawn

This advisory has been withdrawn because the CVE has been disputed and the underlying vulnerability is likely invalid. This link is maintained to preserve external references.

According to maintainers of Fat Free CRM, the CRM comment feature allows certain HTML markup, but santizes the output when rendered to page. This allows safe tags (such as <h1> which the author tested and reported as a vulnerability) but correctly disallows <script> tags and other dangerous entities.

Original Description

HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.

Database specific

{
    "nvd_published_at": "2019-06-10T23:29:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-23T14:12:23Z"
}

References

Affected packages

RubyGems / fat_free_crm

Package

Name: fat_free_crm
Purl: pkg:gem/fat_free_crm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.19.0

Affected versions

0.*

0.11.0

0.11.1

0.11.2

0.11.3

0.11.4

0.12.0

0.12.1

0.12.2

0.12.3

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.13.5

0.13.6

0.14.0

0.14.1

0.14.2

0.15.0.beta

0.15.0.beta.2

0.15.0

0.15.1

0.15.2

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.17.1

0.17.2

0.17.3

0.18.0

0.18.1

0.18.2

0.19.0