Description
Back in 2019, a post appeared incorrectly claiming to have found a vulnerability in Fat Free CRM: http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.html
This claim was submitted to the Fat Free CRM security mailing list at the time and was checked out. It was found to be false positive but for some reason, a CVE had already been requested by the original poster (not by the FFCRM team). The poster was asked to close the CVE, but I have now realised this never happened and the CVE is currently still open.
This CVE has now made its way into GitHub's security database and various tools that depend on it are flagging current versions of Fat Free CRM as erroneously having a vulnerability (e.g. bundle-audit).
I've raised a PR for the GHSA asking for it to be removed but was advised that we need to contact MITRE as they are the original assigning entity.
Action: Request an update to an existing CVE Entry by using the form at https://cveform.mitre.org/
This ticket is here to track my progress.
References: