CVE-2018-1000842
Description
FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appear to be exploitable via Content with Javascript payload will be executed on end user browsers when they visit the page. This vulnerability appears to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FatFreeCRM versions before 0.18.1 contain a stored XSS vulnerability in the tag helper, allowing arbitrary JavaScript execution when users view crafted content.
Vulnerability
FatFreeCRM versions <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 <=0.17.2, and ==0.18.0 contain a Cross-Site Scripting (XSS) vulnerability in the app/helpers/tag_helper.rb file, introduced in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 [1][3]. The vulnerability allows JavaScript payloads embedded in tags used to categorize content to bypass HTML escaping, leading to script execution [3].
Exploitation
An attacker can exploit this vulnerability by creating or modifying content within FatFreeCRM that includes a malicious JavaScript payload in tags. When other users browse to pages displaying that content, the payload executes in their browsers, requiring no special network position or authentication other than being a user who can view the affected content [1][3].
Impact
Successful exploitation enables arbitrary JavaScript execution in the victim's browser, potentially leading to session hijacking, cookie theft, defacement, or unauthorized actions on behalf of the victim within the application [3]. The attack is stored, meaning the payload persists until removed.
Mitigation
The issue is fixed in versions 0.18.1, 0.17.3, 0.16.4, 0.15.2, and 0.14.2 [1][3]. Users should upgrade to the latest patched version. For manual patching, the commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 can be applied [3]. No workarounds are mentioned; upgrading is strongly recommended [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fat_free_crmRubyGems | < 0.14.2 | 0.14.2 |
fat_free_crmRubyGems | >= 0.15.0, < 0.15.2 | 0.15.2 |
fat_free_crmRubyGems | >= 0.16.0, < 0.16.4 | 0.16.4 |
fat_free_crmRubyGems | >= 0.17.0, < 0.17.3 | 0.17.3 |
fat_free_crmRubyGems | >= 0.18.0, < 0.18.1 | 0.18.1 |
Affected products
1Patches
1306f940b26ccVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-j5rj-g695-342rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000842ghsaADVISORY
- github.com/asteinhauser/fat_free_crm/commit/306f940b26ccf3f406665f07bece1229a7a5dcfaghsax_refsource_MISCWEB
- github.com/asteinhauser/fat_free_crm/issues/1ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/fat_free_crm/CVE-2018-1000842.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.