Описание
Withdrawn Advisory: Fat Free CRM Cross-site Scripting vulnerability
Withdrawn
This advisory has been withdrawn because the CVE has been disputed and the underlying vulnerability is likely invalid. This link is maintained to preserve external references.
According to maintainers of Fat Free CRM, the CRM comment feature allows certain HTML markup, but santizes the output when rendered to page. This allows safe tags (such as <h1> which the author tested and reported as a vulnerability) but correctly disallows <script> tags and other dangerous entities.
Original Description
HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-10226
- https://github.com/fatfreecrm/fat_free_crm/issues/1235
- https://github.com/github/advisory-database/pull/3599
- https://apidock.com/rails/ActionView/Helpers/TextHelper/simple_format
- https://github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.haml#L2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fat_free_crm/CVE-2019-10226.yml
- https://www.exploit-db.com/exploits/46617
- http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.html
Пакеты
fat_free_crm
<= 0.19.0
Отсутствует
Связанные уязвимости
HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.