Moderate severityNVD Advisory· Published Sep 12, 2014· Updated May 6, 2026
CVE-2014-5441
CVE-2014-5441
Description
Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name in a (a) create or (b) edit user action.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fat_free_crmRubyGems | >= 0.11.1, < 0.13.3 | 0.13.3 |
Affected products
6cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*range: <=0.13.0
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.11.4:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:fatfreecrm:fat_free_crm:0.12.1:*:*:*:*:*:*:*
Patches
195464495f1e3json_escape user input
1 file changed · +1 −1
app/views/layouts/application.html.haml+1 −1 modified@@ -27,7 +27,7 @@ :javascript #{yield :javascript} var _ffcrm_users = [ - #{User.all.map{|u| "\"#{u.full_name} (@#{u.username})\"" }.join(",\n")} + #{User.all.map{|u| "\"#{j u.full_name} (@#{j u.username})\"" }.join(",\n")} ]; <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.