CVEs-PoC/2019/CVE-2019-10226.md

CVE-2019-10226

Description

** DISPUTED ** HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI. NOTE: the vendor disputes the significance of this report because some HTML formatting (such as with an H1 element) is allowed, but there is a XSS protection mechanism.

POC

Reference

• http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.html
• https://www.exploit-db.com/exploits/46617/

Github

• https://github.com/ARPSyndicate/cvemon
• https://github.com/fkie-cad/nvd-json-data-feeds