Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
XSS vulnerability (26th August 2014)
Versions affected: all versions >= v0.11.1
Fixed version: v0.13.3
Disabling user creation and signup will help to mitigate the vulnerability, but not entirely. It would still possible for logged in users to edit their own user account details to take advantage of vulnerability - this would then affect all users of the Fat Free CRM site.
For those needing to patch manually, please apply the changes in this commit:
Responsible disclosure reminder
Please report issues to email@example.com. We will work with you to understand the issue and how we can fix it. Please do not disclose the issue publicly until it has been resolved and released. We're more than willing to give you credit for discovering the issue, once it has been patched and announced, but until then we ask that you consider the security implications of the issue you have found and the impact on others using an un-patched system.
Further details can be found here: https://github.com/fatfreecrm/fat_free_crm/wiki/Security