Skip to content

XSS vulnerability (26th August 2014)

steveyken edited this page Sep 4, 2014 · 1 revision

A javascript cross-site scripting (XSS) vulnerability has been found and fixed in the most recent version of Fat Free CRM.

Versions affected: all versions >= v0.11.1

Fixed version: v0.13.3


When a user is created/updated using a specifically crafted username, first name or last name, it is possible for arbitrary javascript to be executed on all Fat Free CRM pages. This code would be executed for all logged in users.


Disabling user creation and signup will help to mitigate the vulnerability, but not entirely. It would still possible for logged in users to edit their own user account details to take advantage of vulnerability - this would then affect all users of the Fat Free CRM site.


For those needing to patch manually, please apply the changes in this commit:

Responsible disclosure reminder

Please report issues to We will work with you to understand the issue and how we can fix it. Please do not disclose the issue publicly until it has been resolved and released. We're more than willing to give you credit for discovering the issue, once it has been patched and announced, but until then we ask that you consider the security implications of the issue you have found and the impact on others using an un-patched system.

Further details can be found here: