Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2015-1585
Vulnerability from gsd - Updated: 2015-02-16 00:00Details
Fat Free CRM contains a flaw as HTTP requests to /admin/users do not require
multiple steps, explicit confirmation, or a unique token when performing
certain sensitive actions. By tricking a user into following a specially
crafted link, a context-dependent attacker can perform a Cross-Site Request
Forgery (CSRF / XSRF) attack causing the victim to creating administrative
users.
Aliases
{
"GSD": {
"alias": "CVE-2015-1585",
"description": "Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) attacks via a request without the authenticity_token, as demonstrated by a crafted HTML page that creates a new administrator account.",
"id": "GSD-2015-1585",
"references": [
"https://packetstormsecurity.com/files/cve/CVE-2015-1585"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "fat_free_crm",
"purl": "pkg:gem/fat_free_crm"
}
}
],
"aliases": [
"CVE-2015-1585",
"OSVDB-118465",
"GHSA-wx7c-8j35-mpg8"
],
"details": "Fat Free CRM contains a flaw as HTTP requests to /admin/users do not require\nmultiple steps, explicit confirmation, or a unique token when performing\ncertain sensitive actions. By tricking a user into following a specially\ncrafted link, a context-dependent attacker can perform a Cross-Site Request\nForgery (CSRF / XSRF) attack causing the victim to creating administrative\nusers.\n",
"id": "GSD-2015-1585",
"modified": "2015-02-16T00:00:00.000Z",
"published": "2015-02-16T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1585"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
}
],
"summary": "Fat Free CRM Gem being vulnerable to CSRF-type attacks"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1585",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) attacks via a request without the authenticity_token, as demonstrated by a crafted HTML page that creates a new administrator account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fatfreecrm/fat_free_crm/wiki/CSRF-Vulnerability-%28CVE-2015-1585%29",
"refsource": "CONFIRM",
"url": "https://github.com/fatfreecrm/fat_free_crm/wiki/CSRF-Vulnerability-%28CVE-2015-1585%29"
},
{
"name": "20150214 [CVE-2015-1585] Fat Free CRM - CSRF Vulnerability in Version 0.13.5",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/534709/100/0/threaded"
},
{
"name": "fatfreecrm-cve20151585-csrf(100925)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100925"
},
{
"name": "http://packetstormsecurity.com/files/130410/Fat-Free-CRM-0.13.5-Cross-Site-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/130410/Fat-Free-CRM-0.13.5-Cross-Site-Request-Forgery.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-1585",
"cvss_v2": 6.8,
"date": "2015-02-16",
"description": "Fat Free CRM contains a flaw as HTTP requests to /admin/users do not require\nmultiple steps, explicit confirmation, or a unique token when performing\ncertain sensitive actions. By tricking a user into following a specially\ncrafted link, a context-dependent attacker can perform a Cross-Site Request\nForgery (CSRF / XSRF) attack causing the victim to creating administrative\nusers.\n",
"gem": "fat_free_crm",
"ghsa": "wx7c-8j35-mpg8",
"osvdb": 118465,
"patched_versions": [
"\u003e= 0.13.6"
],
"title": "Fat Free CRM Gem being vulnerable to CSRF-type attacks",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1585"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c0.13.6",
"affected_versions": "All versions before 0.13.6",
"credit": "Sven Schleier",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-352",
"CWE-937"
],
"date": "2018-10-09",
"description": "There\u0027s a flaw as HTTP requests to /admin/users do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to creating administrative users.",
"fixed_versions": [
"0.13.6"
],
"identifier": "CVE-2015-1585",
"identifiers": [
"CVE-2015-1585"
],
"not_impacted": "All versions starting from 0.13.6",
"package_slug": "gem/fat_free_crm",
"pubdate": "2015-02-19",
"solution": "Upgrade to version 0.13.6 or above.",
"title": "CSRF vulnerability",
"urls": [
"http://osvdb.org/show/osvdb/118465"
],
"uuid": "a42ea001-b6b5-4f4c-9073-ef788bb78e22"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "0.13.5",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1585"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) attacks via a request without the authenticity_token, as demonstrated by a crafted HTML page that creates a new administrator account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fatfreecrm/fat_free_crm/wiki/CSRF-Vulnerability-%28CVE-2015-1585%29",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/fatfreecrm/fat_free_crm/wiki/CSRF-Vulnerability-%28CVE-2015-1585%29"
},
{
"name": "http://packetstormsecurity.com/files/130410/Fat-Free-CRM-0.13.5-Cross-Site-Request-Forgery.html",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/130410/Fat-Free-CRM-0.13.5-Cross-Site-Request-Forgery.html"
},
{
"name": "fatfreecrm-cve20151585-csrf(100925)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/100925"
},
{
"name": "20150214 [CVE-2015-1585] Fat Free CRM - CSRF Vulnerability in Version 0.13.5",
"refsource": "BUGTRAQ",
"tags": [],
"url": "http://www.securityfocus.com/archive/1/534709/100/0/threaded"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2018-10-09T19:55Z",
"publishedDate": "2015-02-19T15:59Z"
}
}
}