5

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2013-7222

GHSA ID

GHSA-g897-cgfc-7q8v

EPSS Score

0.74273%

CWE

CWE-330

Published

5/17/2022

Updated

8/16/2023

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-7222

CVE-2013-7222: Fat Free CRM has fixed token value

config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2013-7222

CVE-2013-7222:

5

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2013-7222

GHSA ID

GHSA-g897-cgfc-7q8v

EPSS Score

0.74273%

CWE

CWE-330

Published

5/17/2022

Updated

8/16/2023

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fat_free_crm	rubygems	< 0.12.1	0.12.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the static assignment of FatFreeCRM::Application.config.secret_token in the initializer file. The pre-patch code explicitly sets this value to a fixed string ('51aa366864a80316a85cff0d3762347f4ae3d029d548bef034d56e82b1a2ffac5353ee6719d9b64e4354e2a0b1a901679f46a851c360a2ea377188e4b196b6b6'), violating CWE-330 by using a predictable/non-random value. The commit diff shows this line was guarded behind a test environment check post-patch, forcing runtime secret generation via rake ffcrm:secret in production. This static initialization is the root cause enabling cookie spoofing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2013-7222: Fat Free CRM has fixed token value

CVE-2013-7222:

5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5

5

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2013-7222: Fat Free CRM has fixed token value

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI