PT-2014-3291 · Fat Free Crm · Fat Free Crm

Fgeeko

Published

2014-01-02

Updated

2022-05-17

CVE-2013-7222

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Fat Free CRM versions prior to 0.12.1

Description The issue makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code. This is due to a fixed FatFreeCRM::Application.config.secret token value in the config/initializers/secret token.rb file.

Recommendations For versions prior to 0.12.1, update to version 0.12.1 or later to resolve the issue. As a temporary workaround, consider regenerating and using a unique secret token value for FatFreeCRM::Application.config.secret token to minimize the risk of exploitation.

Exploit

Fix

Use of Insufficiently Random Values

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-330CWE-310

Related Identifiers

CVE-2013-7222

GHSA-G897-CGFC-7Q8V

Affected Products

Fat Free Crm

PT-2014-3291 · Fat Free Crm · Fat Free Crm

CVE-2013-7222

Weakness Enumeration

Related Identifiers

Affected Products

References · 10