Fat Free CRM suffers from a persistent cross site scripting vulnerability.
9085dbacf746f29e2840fb8a68bbb2ea21e2012f16cdfc567e0e81080f76a410# Affected software:
Fatt Free CRM - URL: http://www.fatfreecrm.com/
# Discovered by:
Ankit Bharathan
# Type of vulnerability: XSS Stored
#
# Fat Free CRM is an open source
Ruby on Rails-based customer relationship management platform. Out of the
box it features group collaboration, campaign and lead management, contact
lists, and opportunity tracking.
#
# Description: Fat Free CRM is prone to a Persistent Cross Site Scripting
attack that allows a malicious user to inject HTML or scripts that can
access any cookies, session tokens, or other
sensitive information retained by your browser and used with that site.
# Proof of concept:
1> Go to
http://demo.fatfreecrm.com/users/1
2> go to edit profile.
3> Fill the
alternate email
with a javascript payload eg:
<body/onload=alert(1)>
4> save it and reload the page. the javascript payload gets executed
--
Best Regards,
*Ankit Bharathan.*
*Save Energy... Save Nature... Go Green...*
P *Consider the environment. Please don't print this e-mail unless
absolutely necessary.*
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed