Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-7225
Vulnerability from gsd - Updated: 2013-12-24 00:00Details
Fat Free CRM contains a flaw that may allow carrying out an SQL injection
attack. The issue is due to the app/controllers/home_controller.rb script
not properly sanitizing user-supplied input to the 'state' parameter or
input passed via comments and emails. This may allow a remote attacker to
inject or manipulate SQL queries in the back-end database, allowing for
the manipulation or disclosure of arbitrary data.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-7225",
"description": "Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.",
"id": "GSD-2013-7225"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "fat_free_crm",
"purl": "pkg:gem/fat_free_crm"
}
}
],
"aliases": [
"CVE-2013-7225",
"OSVDB-101448"
],
"details": "Fat Free CRM contains a flaw that may allow carrying out an SQL injection\nattack. The issue is due to the app/controllers/home_controller.rb script\nnot properly sanitizing user-supplied input to the \u0027state\u0027 parameter or\ninput passed via comments and emails. This may allow a remote attacker to\ninject or manipulate SQL queries in the back-end database, allowing for\nthe manipulation or disclosure of arbitrary data.\n",
"id": "GSD-2013-7225",
"modified": "2013-12-24T00:00:00.000Z",
"published": "2013-12-24T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7225"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.5,
"type": "CVSS_V2"
}
],
"summary": "Fat Free CRM Gem for Ruby allows remote attackers to inject or manipulate SQL queries"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7225",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20131224 Happy Holidays / Xmas Advisory",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2013/Dec/199"
},
{
"name": "[oss-security] 20131228 Re: CVE request: Fat Free CRM multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2013/12/28/2"
},
{
"name": "http://www.phenoelit.org/stuff/ffcrm.txt",
"refsource": "MISC",
"url": "http://www.phenoelit.org/stuff/ffcrm.txt"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/commit/d4b2de81a4d8c1b201482edcb2488ed9280a65fd",
"refsource": "CONFIRM",
"url": "https://github.com/fatfreecrm/fat_free_crm/commit/d4b2de81a4d8c1b201482edcb2488ed9280a65fd"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/commit/078035f1ef73ed85285ac9d128c3c5f670cef066",
"refsource": "CONFIRM",
"url": "https://github.com/fatfreecrm/fat_free_crm/commit/078035f1ef73ed85285ac9d128c3c5f670cef066"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/issues/300",
"refsource": "CONFIRM",
"url": "https://github.com/fatfreecrm/fat_free_crm/issues/300"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29",
"refsource": "CONFIRM",
"url": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-7225",
"cvss_v2": 6.5,
"date": "2013-12-24",
"description": "Fat Free CRM contains a flaw that may allow carrying out an SQL injection\nattack. The issue is due to the app/controllers/home_controller.rb script\nnot properly sanitizing user-supplied input to the \u0027state\u0027 parameter or\ninput passed via comments and emails. This may allow a remote attacker to\ninject or manipulate SQL queries in the back-end database, allowing for\nthe manipulation or disclosure of arbitrary data.\n",
"gem": "fat_free_crm",
"osvdb": 101448,
"patched_versions": [
"\u003e= 0.13.0",
"~\u003e 0.12.1"
],
"title": "Fat Free CRM Gem for Ruby allows remote attackers to inject or manipulate SQL queries",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-7225"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=0.0.0 \u003c0.12.1",
"affected_versions": "All versions starting from 0.0.0 before 0.12.1",
"credit": "Steve Kenworthy",
"cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-89",
"CWE-937"
],
"date": "2014-01-03",
"description": "In `app/controllers/home_controller.rb`, the `timeline` method exposes an SQL Injection vulnerability.",
"fixed_versions": [
"0.12.1",
"0.13.0"
],
"identifier": "CVE-2013-7225",
"identifiers": [
"CVE-2013-7225"
],
"package_slug": "gem/fat_free_crm",
"pubdate": "2014-01-02",
"solution": "Update to latest",
"title": "Multiple SQL Injections",
"urls": [
"http://seclists.org/fulldisclosure/2013/Dec/199"
],
"uuid": "fcf4b694-fccc-4ad3-9530-b5a6531bb574"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "0.12.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.10.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7225"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fatfreecrm/fat_free_crm/issues/300",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/fatfreecrm/fat_free_crm/issues/300"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/commit/d4b2de81a4d8c1b201482edcb2488ed9280a65fd",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/fatfreecrm/fat_free_crm/commit/d4b2de81a4d8c1b201482edcb2488ed9280a65fd"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/commit/078035f1ef73ed85285ac9d128c3c5f670cef066",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/fatfreecrm/fat_free_crm/commit/078035f1ef73ed85285ac9d128c3c5f670cef066"
},
{
"name": "20131224 Happy Holidays / Xmas Advisory",
"refsource": "FULLDISC",
"tags": [],
"url": "http://seclists.org/fulldisclosure/2013/Dec/199"
},
{
"name": "[oss-security] 20131228 Re: CVE request: Fat Free CRM multiple vulnerabilities",
"refsource": "MLIST",
"tags": [],
"url": "http://openwall.com/lists/oss-security/2013/12/28/2"
},
{
"name": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29"
},
{
"name": "http://www.phenoelit.org/stuff/ffcrm.txt",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://www.phenoelit.org/stuff/ffcrm.txt"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2014-01-03T17:04Z",
"publishedDate": "2014-01-02T14:59Z"
}
}
}