Withdrawn

This advisory has been withdrawn because the CVE has been disputed and the underlying vulnerability is likely invalid. This link is maintained to preserve external references.

According to maintainers of Fat Free CRM, the CRM comment feature allows certain HTML markup, but santizes the output when rendered to page. This allows safe tags (such as <h1> which the author tested and reported as a vulnerability) but correctly disallows <script> tags and other dangerous entities.

Original Description

HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.

References

• https://nvd.nist.gov/vuln/detail/CVE-2019-10226
• http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.html
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/fat_free_crm/CVE-2019-10226.yml
• fatfreecrm/fat_free_crm#1235
• github/advisory-database#3599
• https://apidock.com/rails/ActionView/Helpers/TextHelper/simple_format
• https://github.com/fatfreecrm/fat_free_crm/blob/master/app/views/comments/_comment.html.haml#L2
• https://www.exploit-db.com/exploits/46617