Miggo Logo
Miggo Vulnerability Database
CVE-2013-7222

CVE-2013-7222: Fat Free CRM has fixed token value

5

CVSS Score

Basic Information

CVE ID
CVE-2013-7222
GHSA ID
GHSA-g897-cgfc-7q8v
EPSS Score
0.74273%
CWE
CWE-330
Published
5/17/2022
Updated
8/16/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
fat_free_crmrubygems< 0.12.10.12.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the static assignment of FatFreeCRM::Application.config.secret_token in the initializer file. The pre-patch code explicitly sets this value to a fixed string ('51aa366864a80316a85cff0d3762347f4ae3d029d548bef034d56e82b1a2ffac5353ee6719d9b64e4354e2a0b1a901679f46a851c360a2ea377188e4b196b6b6'), violating CWE-330 by using a predictable/non-random value. The commit diff shows this line was guarded behind a test environment check post-patch, forcing runtime secret generation via rake ffcrm:secret in production. This static initialization is the root cause enabling cookie spoofing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`*on*i*/initi*liz*rs/s**r*t_tok*n.r*` in **t *r** *RM ***or* *.**.* **s * *ix** `**t*r***RM::*ppli**tion.*on*i*.s**r*t_tok*n` v*lu*, w*i** m*k*s it **si*r *or r*mot* *tt**k*rs to spoo* si*n** *ooki*s *y r***rrin* to t** k*y in t** sour** *o**.

Reasoning

T** vuln*r**ility st*ms *rom t** st*ti* *ssi*nm*nt o* `**t*r***RM::*ppli**tion.*on*i*.s**r*t_tok*n` in t** initi*liz*r *il*. T** pr*-p*t** *o** *xpli*itly s*ts t*is v*lu* to * *ix** strin* ('***********************************************************