A vulnerability was found in Fat Free CRM up to 0.13.4 (Customer Relationship Management System). It has been rated as critical. This issue affects an unknown function of the component Administrator Account. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. Using CWE to declare the problem leads to CWE-352. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) attacks via a request without the authenticity_token, as demonstrated by a crafted HTML page that creates a new administrator account.

The weakness was shared 02/19/2015 (Website). The advisory is shared at github.com. The identification of this vulnerability is CVE-2015-1585 since 02/11/2015. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.

Upgrading to version 0.13.5 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (100925). The entries VDB-73870, VDB-74456, VDB-100493 and VDB-102010 are related to this item.

Productinfo

Type

• Customer Relationship Management System

Vendor

• Fat Free

Name

• CRM

Version

• 0.13.0
• 0.13.1
• 0.13.2
• 0.13.3
• 0.13.4

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion