CVE-2019-10226

Name of the Vulnerable Software and Affected Versions: Fat Free CRM version 0.19.0

Description: A HTML Injection issue has been reported in the Fat Free CRM product, specifically via an authenticated request to the "/comments" URI. The vendor disputes the significance of this report, citing that some HTML formatting is allowed, and a XSS protection mechanism is in place. However, it's noted that certain HTML markup is sanitized when rendered to the page, allowing safe tags like <h1> but disallowing dangerous entities like <script> tags.

Recommendations: For Fat Free CRM version 0.19.0, consider restricting access to the "/comments" URI until the issue is resolved, as the vendor's dispute suggests the vulnerability may not be significant, but caution should still be exercised. At the moment, there is no information about a newer version that contains a fix for this vulnerability.