CVE-2019-10226

HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.
Configurations

Configuration 1 (hide)

cpe:2.3:a:fatfreecrm:fat_free_crm:0.19.0:*:*:*:*:*:*:*

History

22 Feb 2024, 03:15

Type Values Removed Values Added
Summary HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.
References
  • () https://github.com/fatfreecrm/fat_free_crm/issues/1235 -
  • () https://www.exploit-db.com/exploits/46617/ -
  • () https://github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.haml#L2 -
  • () https://apidock.com/rails/ActionView/Helpers/TextHelper/simple_format -

Information

Published : 2019-06-10 23:29

Updated : 2024-08-04 23:15


NVD link : CVE-2019-10226

Mitre link : CVE-2019-10226

CVE.ORG link : CVE-2019-10226


JSON object : View

Products Affected

fatfreecrm

  • fat_free_crm
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')