Home / exploitsPDF  

Fatt Free CRM Cross Site Scripting

Posted on 23 August 2014

Hello Guys this is Sam , CEO and Chief Security Architect Provensec LLC . Please take note of the following submission. # Affected software: Fatt Free CRM - URL: http://www.fatfreecrm.com/ # Discovered by: Provensec # Website: http://www.provensec.com # Type of vulnerability: XSS Stored # # Fat Free CRM is an open source Ruby on Rails-based customer relationship management platform. Out of the box it features group collaboration, campaign and lead management, contact lists, and opportunity tracking. # # Description: Fat Free CRM is prone to a Persistent Cross Site Scripting attack that allows a malicious user to inject HTML or scripts that can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. # Proof of concept: 1> Go to http://demo.fatfreecrm.com 2> Create a account and go to edit profile. 3> Fill the first name with a javascript payload eg:<script>XSS by Provensec</script> 4> save it and reload the page. the javascript payload gets executed on the browser

 

TOP