Hello Guys this is Sam , CEO and Chief Security Architect Provensec LLC .
Please take note of the following submission.
# Affected software: Fatt Free CRM - URL: http://www.fatfreecrm.com/
# Discovered by: Provensec
# Website: http://www.provensec.com
# Type of vulnerability: XSS Stored
#
# Fat Free CRM is an open source
Ruby on Rails-based customer relationship management platform. Out of the
box it features group collaboration, campaign and lead management, contact
lists, and opportunity tracking.
#
# Description: Fat Free CRM is prone to a Persistent Cross Site Scripting
attack that allows a malicious user to inject HTML or scripts that can
access any cookies, session tokens, or other
sensitive information retained by your browser and used with that site.
# Proof of concept:
1> Go to http://demo.fatfreecrm.com
2> Create a account and go to edit profile.
3> Fill the first name with a javascript payload eg:<script>XSS by
Provensec</script>
4> save it and reload the page. the javascript payload gets executed
on the browser