oss-sec mailing list archives
Re: CVE request: Fat Free CRM multiple vulnerabilities
From: cve-assign () mitre org
Date: Sat, 28 Dec 2013 07:23:15 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
http://www.phenoelit.org/stuff/ffcrm.txt http://seclists.org/fulldisclosure/2013/Dec/199 https://github.com/fatfreecrm/fat_free_crm/issues/300 https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-%2827th-Dec-2013%29
1. Known Session Secret https://github.com/fatfreecrm/fat_free_crm/commit/93c182dd4c6f3620b721d2a15ba6a6ecab5669df
Use CVE-2013-7222.
2. Lack of CSRF Protection https://github.com/fatfreecrm/fat_free_crm/commit/a7fedbb36388bad0c0f32b2346481e0ea126dea6
Use CVE-2013-7223.
3. Default to_json for models https://github.com/fatfreecrm/fat_free_crm/commit/cf26a04b356ad2161c4c6160260eb870a3de5328
Use CVE-2013-7224.
4. Multiple SQL Injections https://github.com/fatfreecrm/fat_free_crm/commit/078035f1ef73ed85285ac9d128c3c5f670cef066 https://github.com/fatfreecrm/fat_free_crm/commit/d4b2de81a4d8c1b201482edcb2488ed9280a65fd
Use CVE-2013-7225. For item 3: if there is an information-disclosure vulnerability involving to_xml, please let us know and we can assign an additional CVE ID. The joernchen advisory mentioned only to_json, and therefore to_xml has a different discoverer and may require a separate CVE ID. If there is a denial of service issue involving :delete, please let us know and we can assign an additional CVE ID. The joernchen advisory mentioned only "renders JSON requests with a full JSON object," and therefore :delete has a different discoverer and may require a separate CVE ID. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSvsH6AAoJEKllVAevmvmsjksIAMeaH2HBfTrSNt83LAy1Sk0c Q+lexLe6vIsOQLeh02/vk4zk/piqcuQGcmTmpEQ+X5lT+7zwrBoZAe3/g36Nb+mM uJh9gBzsJkq0JUnqRVn84e9gxnJpqXjUB0aRRhaFrMBKB5jdTDFpWzKWS77KVzhI QlgEMBObp4WUQHjAfsZcN+cs+xWjMVvR7+rk1AWJ9hAjT02UBGigVNWe5PmDrb8z /yqcrQiEFTENbdQKSjNxlSSoEFWxEUF1b4PInNl7451ep0Ee2ZKoi9bte8h8pgsP rOzEsPzu0yevLI7Wgrvl+clSdesuvIi6/2kGklv5LTsM23Rw/spat4nkAuFPKlU= =PZmt -----END PGP SIGNATURE-----
Current thread:
- CVE request: Fat Free CRM multiple vulnerabilities Henri Salo (Dec 27)
- Re: CVE request: Fat Free CRM multiple vulnerabilities cve-assign (Dec 28)
- Re: CVE request: Fat Free CRM multiple vulnerabilities Steve Kenworthy (Dec 30)
- Re: CVE request: Fat Free CRM multiple vulnerabilities cve-assign (Dec 31)
- Re: CVE request: Fat Free CRM multiple vulnerabilities Steve Kenworthy (Dec 30)
- Re: CVE request: Fat Free CRM multiple vulnerabilities cve-assign (Dec 28)