GHSA-j5rj-g695-342r

Source

https://github.com/advisories/GHSA-j5rj-g695-342r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-j5rj-g695-342r/GHSA-j5rj-g695-342r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j5rj-g695-342r

Aliases

CVE-2018-1000842

Published

2018-12-20T22:01:54Z

Modified

2024-02-16T08:11:15.649513Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Fat Free CRM vulnerable to Cross-site Scripting

Details

FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 <=0.17.2, and ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appears to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, and 0.14.2.

Database specific

{
    "nvd_published_at": "2018-12-20T15:29:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:42:09Z"
}

References

Affected packages

RubyGems / fat_free_crm

Package

Name: fat_free_crm
Purl: pkg:gem/fat_free_crm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.14.2

Affected versions

0.*

0.11.0

0.11.1

0.11.2

0.11.3

0.11.4

0.12.0

0.12.1

0.12.2

0.12.3

0.13.0

0.13.1

0.13.2

0.13.3

0.13.4

0.13.5

0.13.6

0.14.0

0.14.1

RubyGems / fat_free_crm

Package

Name: fat_free_crm
Purl: pkg:gem/fat_free_crm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.15.0

Fixed

0.15.2

Affected versions

0.*

0.15.0

0.15.1

RubyGems / fat_free_crm

Package

Name: fat_free_crm
Purl: pkg:gem/fat_free_crm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.16.0

Fixed

0.16.4

Affected versions

0.*

0.16.0

0.16.1

0.16.2

0.16.3

RubyGems / fat_free_crm

Package

Name: fat_free_crm
Purl: pkg:gem/fat_free_crm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.17.0

Fixed

0.17.3

Affected versions

0.*

0.17.1

0.17.2

RubyGems / fat_free_crm

Package

Name: fat_free_crm
Purl: pkg:gem/fat_free_crm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.18.0

Fixed

0.18.1

Affected versions

0.*

0.18.0