CVE-2018-20975
Description
Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fat Free CRM before v0.18.1 contains a stored/reflected XSS vulnerability in the tags helper.
Vulnerability
Description
Fat Free CRM, an open-source customer relationship management application, is vulnerable to cross-site scripting (XSS) in the tags_helper.rb file located at app/helpers/tags_helper.rb [1]. The flaw was present in versions prior to 0.18.1 and allowed injection of malicious script code through the tags functionality [2].
Attack
Vector
An attacker can exploit this vulnerability by crafting a tag containing JavaScript code. When the tag is rendered in the application interface without proper escaping or sanitization, the injected code executes in the context of the victim's browser. The attack requires no special privileges beyond the ability to input a tag, which may be possible for authenticated users depending on the application's configuration [1][2].
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the affected Fat Free CRM instance. This could lead to session hijacking, credential theft, defacement, or redirection to malicious websites. The vulnerability impacts the confidentiality, integrity, and availability of the CRM data [2].
Mitigation
The issue has been fixed in Fat Free CRM version 0.18.1. Users should upgrade to this version or later to mitigate the risk [1][3][4]. The fix was introduced in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 and is included in the v0.18.1 release [2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fat_free_crmRubyGems | < 0.18.1 | 0.18.1 |
Affected products
2- Fat Free CRM/Fat Free CRMdescription
Patches
16d60bc8ed010Context-sensitive XSS bugfix.
1 file changed · +1 −1
app/helpers/tags_helper.rb+1 −1 modified@@ -17,7 +17,7 @@ def tags_for_index(model) elsif !query.include?(hashtag) query += " #{hashtag}" end - out << link_to_function(tag, "crm.search_tagged('#{query}', '#{model.class.to_s.tableize}')", title: tag) + out << link_to_function(tag, "crm.search_tagged('#{escape_javascript(query)}', '#{model.class.to_s.tableize}')", title: tag) end end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4p8f-mmfj-r45gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-20975ghsaADVISORY
- github.com/fatfreecrm/fat_free_crm/commit/6d60bc8ed010c4eda05d6645c64849f415f68d65ghsax_refsource_CONFIRMWEB
- github.com/fatfreecrm/fat_free_crm/compare/v0.17.3...v0.18.1ghsax_refsource_CONFIRMWEB
- github.com/fatfreecrm/fat_free_crm/releases/tag/v0.18.1ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/fat_free_crm/CVE-2018-20975.ymlghsaWEB
News mentions
0No linked articles in our index yet.