Miggo Logo

CVE-2013-7223: Fat Free CRM contains Cross-site Request Forgery vulnerablilities

6.8

CVSS Score

Basic Information

EPSS Score
0.65957%
Published
5/17/2022
Updated
1/23/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
fat_free_crmrubygems< 0.12.10.12.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the lack of CSRF protection in the Rails application. The commit diff explicitly adds protect_from_forgery to the ApplicationController, which is a Rails security mechanism to validate requests with authenticity tokens. Without this line, all controller actions inheriting from ApplicationController (the base controller) are exposed to CSRF attacks. The advisory and CVE description directly attribute the vulnerability to this missing protection, making this the definitive root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**iliti*s in **t *r** *RM ***or* *.**.* *llow r*mot* *tt**k*rs to *ij**k t** *ut**nti**tion o* unsp**i*i** vi*tims vi* unknown v**tors, r*l*t** to t** l**k o* * `prot**t_*rom_*or**ry` lin* in `*pp/*ont

Reasoning

T** vuln*r**ility st*ms *rom t** l**k o* *SR* prot**tion in t** R*ils *ppli**tion. T** *ommit *i** *xpli*itly ***s `prot**t_*rom_*or**ry` to t** *ppli**tion*ontroll*r, w*i** is * R*ils s**urity m****nism to v*li**t* r*qu*sts wit* *ut**nti*ity tok*ns.