CVE-2014-5441

Name of the Vulnerable Software and Affected Versions Fat Free CRM versions prior to 0.13.3

Description The issue allows remote attackers to inject arbitrary web script or HTML via the username, first name, or last name in a create or edit user action. This is due to multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml.

Recommendations For versions prior to 0.13.3, update to version 0.13.3 or later to resolve the issue. As a temporary workaround, consider restricting user input for the username, first name, and last name fields to minimize the risk of exploitation.