Fat Free CRM has BOLA in DELETE /emails/:id - Any authenticated user can hit this endpoint and delete emails by ID
Authenticated users can delete emails imported into the system assigned to another user; where the Email Dropbox is in use.
Advisories for Gem/Fat_free_crm package
2026
2022
Improper Input Validation
fat_free_crm is a an open source, Ruby on Rails customer relationship management platform (CRM). In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit c85a254 and will be available in release 0.20.1. Users are advised to upgrade or to manually apply patch c85a254. There are no known workarounds for this …
2019
Cross-site Scripting
Fat Free CRM has XSS in the tags_helper in app/helpers/tags_helper.rb.
Injection Vulnerability
HTML Injection has been discovered in the Fat Free CRM product via an authenticated request to the /comments URI.
2018
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
fat_free_crm is vulnerable to XSS.
2015
CSRF vulnerability
There's a flaw as HTTP requests to /admin/users do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to creating administrative users.
2014
Javascript cross-site scripting (XSS) vulnerability
Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability. When a user is created/updated using a specifically crafted username, first name or last name, it is possible for arbitrary javascript to be executed on all Fat Free CRM pages. This code would be executed for all logged-in users.
Remote attackers can obtain sensitive informations
This package contains a flaw that is triggered when the attacker sends a direct request for XML data. This may allow a remote attacker to gain access to potentially sensitive information.
Multiple SQL Injections
In app/controllers/home_controller.rb, the timeline method exposes an SQL Injection vulnerability.
Lack of CSRF Protection
In app/controllers/application_controller.rb the protect_from_forgery statement is missing, therefore Fat Free CRM is vulnerable to CSRF attacks.
Known Session Secret
In config/initialiers/secret_token.rb a static secret token is defined, with the knowledge of this token an attacker is able to execute arbitrary Ruby code server side.
Default to_json for models
The users controller renders JSON requests with a full JSON object.