Miggo Logo

CVE-2018-1000842: Fat Free CRM vulnerable to Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.63276%
Published
12/20/2018
Updated
8/25/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
fat_free_crmrubygems< 0.14.20.14.2
fat_free_crmrubygems>= 0.15.0, < 0.15.20.15.2
fat_free_crmrubygems>= 0.16.0, < 0.16.40.16.4
fat_free_crmrubygems>= 0.17.0, < 0.17.30.17.3
fat_free_crmrubygems= 0.18.00.18.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was explicitly linked to a commit (6d60bc8ed010c4eda05d6645c64849f415f68d65) that modifies the tag_link method in tag_helper.rb. The patch adds HTML escaping (h()) to the tag name output. This indicates the original implementation lacked proper output encoding for user-controlled tag names, making it susceptible to XSS. The advisory and wiki both confirm the XSS stemmed from unescaped tag content rendering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**t*r***RM v*rsion `<=*.**.*`, `>=*.**.* <=*.**.*`, `>=*.**.* <=*.**.*`, `>=*.**.* <=*.**.*`, *n* `==*.**.*` *ont*ins * *ross Sit* S*riptin* (XSS) vuln*r**ility in [*ommit ****************************************](*ttps://*it*u*.*om/*st*in**us*r/**t_

Reasoning

T** vuln*r**ility w*s *xpli*itly link** to * *ommit (****************************************) t**t mo*i*i*s t** t**_link m*t*o* in t**_**lp*r.r*. T** p*t** ***s *TML *s**pin* (*()) to t** t** n*m* output. T*is in*i**t*s t** ori*in*l impl*m*nt*tion l