Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-7223
Vulnerability from gsd - Updated: 2013-12-24 00:00Details
Fat Free CRM contains a flaw as the application is missing the protect_from_forgery
statement, therefore HTTP requests to app/controllers/application_controller.rb
do not require multiple steps, explicit confirmation, or a unique token when
performing certain sensitive actions. By tricking a user into following a specially
crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery
(CSRF / XSRF) attack causing the victim to perform unspecified actions.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-7223",
"description": "Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controllers/application_controller.rb.",
"id": "GSD-2013-7223"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "fat_free_crm",
"purl": "pkg:gem/fat_free_crm"
}
}
],
"aliases": [
"CVE-2013-7223",
"OSVDB-101446"
],
"details": "Fat Free CRM contains a flaw as the application is missing the protect_from_forgery\nstatement, therefore HTTP requests to app/controllers/application_controller.rb\ndo not require multiple steps, explicit confirmation, or a unique token when\nperforming certain sensitive actions. By tricking a user into following a specially\ncrafted link, a context-dependent attacker can perform a Cross-Site Request Forgery\n(CSRF / XSRF) attack causing the victim to perform unspecified actions.\n",
"id": "GSD-2013-7223",
"modified": "2013-12-24T00:00:00.000Z",
"published": "2013-12-24T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7223"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
}
],
"summary": "Fat Free CRM Gem for Ruby contains multiple cross-site request forgery (CSRF) vulnerabilities"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7223",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controllers/application_controller.rb."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fatfreecrm/fat_free_crm/commit/a7fedbb36388bad0c0f32b2346481e0ea126dea6",
"refsource": "CONFIRM",
"url": "https://github.com/fatfreecrm/fat_free_crm/commit/a7fedbb36388bad0c0f32b2346481e0ea126dea6"
},
{
"name": "20131224 Happy Holidays / Xmas Advisory",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Dec/199"
},
{
"name": "[oss-security] 20131228 Re: CVE request: Fat Free CRM multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2013/12/28/2"
},
{
"name": "http://www.phenoelit.org/stuff/ffcrm.txt",
"refsource": "MISC",
"url": "http://www.phenoelit.org/stuff/ffcrm.txt"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/issues/300",
"refsource": "CONFIRM",
"url": "https://github.com/fatfreecrm/fat_free_crm/issues/300"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29",
"refsource": "CONFIRM",
"url": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-7223",
"cvss_v2": 6.8,
"date": "2013-12-24",
"description": "Fat Free CRM contains a flaw as the application is missing the protect_from_forgery\nstatement, therefore HTTP requests to app/controllers/application_controller.rb\ndo not require multiple steps, explicit confirmation, or a unique token when\nperforming certain sensitive actions. By tricking a user into following a specially\ncrafted link, a context-dependent attacker can perform a Cross-Site Request Forgery\n(CSRF / XSRF) attack causing the victim to perform unspecified actions.\n",
"gem": "fat_free_crm",
"osvdb": 101446,
"patched_versions": [
"\u003e= 0.13.0",
"~\u003e 0.12.1"
],
"title": "Fat Free CRM Gem for Ruby contains multiple cross-site request forgery (CSRF) vulnerabilities",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7223"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=0.0.0 \u003c0.12.1",
"affected_versions": "All versions starting from 0.0.0 before 0.12.1",
"credit": "Steve Kenworthy",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-352",
"CWE-937"
],
"date": "2014-01-03",
"description": "In `app/controllers/application_controller.rb` the `protect_from_forgery` statement is missing, therefore Fat Free CRM is vulnerable to CSRF attacks.",
"fixed_versions": [
"0.12.1",
"0.13.0"
],
"identifier": "CVE-2013-7223",
"identifiers": [
"CVE-2013-7223"
],
"package_slug": "gem/fat_free_crm",
"pubdate": "2014-01-02",
"solution": "Upgrade to latest",
"title": "Lack of CSRF Protection",
"urls": [
"http://seclists.org/fulldisclosure/2013/Dec/199"
],
"uuid": "827d028b-bb17-4d0a-a230-3b62465daf16"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "0.12.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.10.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7223"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controllers/application_controller.rb."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fatfreecrm/fat_free_crm/issues/300",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/fatfreecrm/fat_free_crm/issues/300"
},
{
"name": "[oss-security] 20131228 Re: CVE request: Fat Free CRM multiple vulnerabilities",
"refsource": "MLIST",
"tags": [],
"url": "http://openwall.com/lists/oss-security/2013/12/28/2"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29"
},
{
"name": "20131224 Happy Holidays / Xmas Advisory",
"refsource": "FULLDISC",
"tags": [],
"url": "http://seclists.org/fulldisclosure/2013/Dec/199"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/commit/a7fedbb36388bad0c0f32b2346481e0ea126dea6",
"refsource": "CONFIRM",
"tags": [
"Patch"
],
"url": "https://github.com/fatfreecrm/fat_free_crm/commit/a7fedbb36388bad0c0f32b2346481e0ea126dea6"
},
{
"name": "http://www.phenoelit.org/stuff/ffcrm.txt",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://www.phenoelit.org/stuff/ffcrm.txt"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2014-01-03T17:11Z",
"publishedDate": "2014-01-02T14:59Z"
}
}
}