Описание
config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.
Ссылки
- Exploit
- ExploitPatch
- Vendor Advisory
- Exploit
- ExploitPatch
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.12.0 (включая)
Одно из
cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*
cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.6:*:*:*:*:*:*:*
cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.7:*:*:*:*:*:*:*
cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.8:*:*:*:*:*:*:*
cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.9:*:*:*:*:*:*:*
cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.10:*:*:*:*:*:*:*
cpe:2.3:a:fatfreecrm:fat_free_crm:0.10.1:*:*:*:*:*:*:*
cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.0:*:*:*:*:*:*:*
cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.2:*:*:*:*:*:*:*
EPSS
Процентиль: 75%
0.00873
Низкий
5 Medium
CVSS2
Дефекты
CWE-310
Связанные уязвимости
EPSS
Процентиль: 75%
0.00873
Низкий
5 Medium
CVSS2
Дефекты
CWE-310