CVE-2019-10226
CVE-2019-10226
HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.
Affected products
n/a · n/apublic PoCs found — 3
cve_referencepacketstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.htmlunverifiedcve_referencewww.exploit-db.com/exploits/46617/unverifiedexploitdbwww.exploit-db.com/exploits/46617unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.htmlhttps://apidock.com/rails/ActionView/Helpers/TextHelper/simple_formathttps://github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.haml#L2https://github.com/fatfreecrm/fat_free_crm/issues/1235https://www.exploit-db.com/exploits/46617/