Moderate severityNVD Advisory· Published Feb 19, 2015· Updated May 6, 2026

CVE-2015-1585

Description

Fat Free CRM before 0.13.6 allows remote attackers to conduct cross-site request forgery (CSRF) attacks via a request without the authenticity_token, as demonstrated by a crafted HTML page that creates a new administrator account.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
fat_free_crmRubyGems	< 0.13.6	0.13.6

Affected products

Fatfreecrm/Fat Free CRM
cpe:2.3:a:fatfreecrm:fat_free_crm:*:*:*:*:*:*:*:*
Range: <=0.13.5

Patches

86fd7f98c958

Fix for CVE-2015-1585 - CSRF vulnerability.

https://github.com/fatfreecrm/fat_free_crmSteve KenworthyFeb 12, 2015via ghsa

commit

1 file changed · +10 −0

app/controllers/application_controller.rb+10 −0 modified

@@ -49,6 +49,16 @@ def auto_complete
 
 private
 
+  #
+  # In rails 3, the default behaviour for handle_unverified_request is to delete the session
+  # and continue executing the request. However, we use cookie based authentication and need
+  # to halt proceedings. In Rails 4, use "protect_from_forgery with: :exception"
+  # See http://blog.nvisium.com/2014/09/understanding-protectfromforgery.html for more details.
+  #----------------------------------------------------------------------------
+  def handle_unverified_request
+    raise ActionController::InvalidAuthenticityToken
+  end
+
   #
   # Takes { :related => 'campaigns/7' } or { :related => '5' }
   #   and returns array of object ids that should be excluded from search

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000