CVE-2019-10226

Опубликовано: 10 июн. 2019

Источник: nvd

CVSS3: 5.4

CVSS2: 4.3

EPSS Низкий

Описание

HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.

Ссылки

http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.html
Third Party Advisory
VDB Entry
https://apidock.com/rails/ActionView/Helpers/TextHelper/simple_format
https://github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.haml#L2
https://github.com/fatfreecrm/fat_free_crm/issues/1235
https://www.exploit-db.com/exploits/46617/
http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.html
Third Party Advisory
VDB Entry
https://apidock.com/rails/ActionView/Helpers/TextHelper/simple_format
https://github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.haml#L2
https://github.com/fatfreecrm/fat_free_crm/issues/1235
https://www.exploit-db.com/exploits/46617/

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:fatfreecrm:fat_free_crm:0.19.0:*:*:*:*:*:*:*

EPSS

Процентиль: 82%

0.01758

Низкий

5.4 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-gmg5-r3c4-3fm9