Moderate severityNVD Advisory· Published Jan 2, 2014· Updated Apr 29, 2026
CVE-2013-7224
CVE-2013-7224
Description
Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fat_free_crmRubyGems | < 0.12.1 | 0.12.1 |
Affected products
10cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*range: <=0.12.0
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.9.9:*:*:*:*:*:*:*
Patches
1cf26a04b356aAdd custom serializers for xml and json.
4 files changed · +27 −6
app/models/users/user.rb+8 −0 modified@@ -147,6 +147,14 @@ def group_ids=(value) super(value) end + def to_json(options = nil) + [name].to_json + end + + def to_xml(options = nil) + [name].to_xml + end + private # Suspend newly created user if signup requires an approval.
config/routes.rb+1 −1 modified@@ -137,7 +137,7 @@ end end - resources :users, :id => /\d+/ do + resources :users, :id => /\d+/, :except => [:index, :destroy] do member do get :avatar get :password
spec/models/users/user_spec.rb+14 −0 modified@@ -209,4 +209,18 @@ @user.single_access_token.should == "token" end end + + describe "serialization" do + + let(:user) { FactoryGirl.build(:user) } + + it "to json" do + expect(user.to_json).to eql([user.name].to_json) + end + + it "to xml" do + expect(user.to_xml).to eql([user.name].to_xml) + end + + end end
spec/routing/users_routing_spec.rb+4 −5 modified@@ -8,8 +8,8 @@ describe UsersController do describe "routing" do - it "recognizes and generates #index" do - { :get => "/users" }.should route_to(:controller => "users", :action => "index") + it "doesn't recognize #index" do + { :get => "/users" }.should_not be_routable end it "recognizes and generates #new as /signup" do @@ -40,8 +40,8 @@ { :put => "/opportunities/aaron" }.should_not be_routable end - it "recognizes and generates #destroy" do - { :delete => "/users/1" }.should route_to(:controller => "users", :action => "destroy", :id => "1") + it "doesn't recognize #destroy" do + { :delete => "/users/1" }.should_not be_routable end it "doesn't recognize #destroy with non-numeric id" do @@ -81,4 +81,3 @@ end end end -
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.phenoelit.org/stuff/ffcrm.txtnvdExploit
- github.com/advisories/GHSA-4xq9-vw89-p5cxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-7224ghsaADVISORY
- openwall.com/lists/oss-security/2013/12/28/2nvdWEB
- seclists.org/fulldisclosure/2013/Dec/199nvdWEB
- github.com/fatfreecrm/fat_free_crm/commit/cf26a04b356ad2161c4c6160260eb870a3de5328nvdWEB
- github.com/fatfreecrm/fat_free_crm/issues/300nvdWEB
News mentions
0No linked articles in our index yet.