CVE-2013-7223: Fat Free CRM contains Cross-site Request Forgery vulnerablilities
6.8
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.65957%
CWE
Published
5/17/2022
Updated
1/23/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
fat_free_crm | rubygems | < 0.12.1 | 0.12.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the lack of CSRF protection in the Rails application. The commit diff explicitly adds protect_from_forgery
to the ApplicationController, which is a Rails security mechanism to validate requests with authenticity tokens. Without this line, all controller actions inheriting from ApplicationController (the base controller) are exposed to CSRF attacks. The advisory and CVE description directly attribute the vulnerability to this missing protection, making this the definitive root cause.