Skip to content

XSS vulnerabilities (4th Sept 2014)

steveyken edited this page Sep 4, 2014 · 1 revision

Several javascript cross-site scripting (XSS) vulnerabilities have been found and fixed in the most recent version of Fat Free CRM. You are strongly encouraged to update your installation.

Versions affected: all versions

Fixed version: v0.13.4

Impact

Various templates were using the 'html_safe' method in an unsafe manner. Affected code was executing a user defined javascript payload.

Patches

For those needing to patch manually, please apply the following patch:

https://github.com/fatfreecrm/fat_free_crm/compare/v0.13.3...v0.13.4

Credits

Ankit Bharathan (fb.me/noob.pikachu) for reporting an XSS vulnerability in the user profile form.

Responsible disclosure policy

Please report issues to security@fatfreecrm.com. We will work with you to understand the issue and how we can fix it. Please do not disclose the issue publicly until it has been resolved and released. We're more than willing to give you credit for discovering the issue, once it has been patched and announced, but until then we ask that you consider the security implications of the issue you have found and the impact on others using an un-patched system.

Further details can be found here: https://github.com/fatfreecrm/fat_free_crm/wiki/Security

Clone this wiki locally