-
Notifications
You must be signed in to change notification settings - Fork 1.3k
XSS vulnerability (26th August 2014)
A javascript cross-site scripting (XSS) vulnerability has been found and fixed in the most recent version of Fat Free CRM.
Versions affected: all versions >= v0.11.1
Fixed version: v0.13.3
When a user is created/updated using a specifically crafted username, first name or last name, it is possible for arbitrary javascript to be executed on all Fat Free CRM pages. This code would be executed for all logged in users.
Disabling user creation and signup will help to mitigate the vulnerability, but not entirely. It would still possible for logged in users to edit their own user account details to take advantage of vulnerability - this would then affect all users of the Fat Free CRM site.
For those needing to patch manually, please apply the changes in this commit:
Please report issues to [email protected]. We will work with you to understand the issue and how we can fix it. Please do not disclose the issue publicly until it has been resolved and released. We're more than willing to give you credit for discovering the issue, once it has been patched and announced, but until then we ask that you consider the security implications of the issue you have found and the impact on others using an un-patched system.
Further details can be found here: https://github.com/fatfreecrm/fat_free_crm/wiki/Security