CVE-2018-1000842: Fat Free CRM vulnerable to Cross-site Scripting
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.63276%
CWE
Published
12/20/2018
Updated
8/25/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
fat_free_crm | rubygems | < 0.14.2 | 0.14.2 |
fat_free_crm | rubygems | >= 0.15.0, < 0.15.2 | 0.15.2 |
fat_free_crm | rubygems | >= 0.16.0, < 0.16.4 | 0.16.4 |
fat_free_crm | rubygems | >= 0.17.0, < 0.17.3 | 0.17.3 |
fat_free_crm | rubygems | = 0.18.0 | 0.18.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability was explicitly linked to a commit (6d60bc8ed010c4eda05d6645c64849f415f68d65) that modifies the tag_link method in tag_helper.rb. The patch adds HTML escaping (h()) to the tag name output. This indicates the original implementation lacked proper output encoding for user-controlled tag names, making it susceptible to XSS. The advisory and wiki both confirm the XSS stemmed from unescaped tag content rendering.