PT-2014-3291 · Fat Free Crm · Fat Free Crm

Fgeeko

Publicado

2014-01-02

Atualizado

2022-05-17

CVE-2013-7222

CVSS v2.0

5.0

Média

Vetor

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Fat Free CRM versions prior to 0.12.1

Description The issue makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code. This is due to a fixed FatFreeCRM::Application.config.secret token value in the config/initializers/secret token.rb file.

Recommendations For versions prior to 0.12.1, update to version 0.12.1 or later to resolve the issue. As a temporary workaround, consider regenerating and using a unique secret token value for FatFreeCRM::Application.config.secret token to minimize the risk of exploitation.

Exploit

Correção

Use of Insufficiently Random Values

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-330CWE-310

Identificadores relacionados

CVE-2013-7222

GHSA-G897-CGFC-7Q8V

Produtos afetados

Fat Free Crm

PT-2014-3291 · Fat Free Crm · Fat Free Crm

CVE-2013-7222

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10