# Affected software:

Fatt Free CRM - URL: http://www.fatfreecrm.com/
# Discovered by:
Ankit Bharathan


# Type of vulnerability: XSS Stored
#
# Fat Free CRM is an open source
Ruby on Rails-based customer relationship management platform. Out of the
box it features group collaboration, campaign and lead management, contact
lists, and opportunity tracking.
#
# Description: Fat Free CRM is prone to a Persistent Cross Site Scripting
attack that allows a malicious user to inject HTML or scripts that can
access any cookies, session tokens, or other
sensitive information retained by your browser and used with that site.
# Proof of concept:
1> Go to

http://demo.fatfreecrm.com/users/1
2> go to edit profile.
3> Fill the
alternate email
 with a javascript payload eg:

<body/onload=alert(1)>
4> save it and reload the page. the javascript payload gets executed



-- 

Best Regards,
*Ankit Bharathan.*

*Save Energy... Save Nature... Go Green...*
P *Consider the environment. Please don't print this e-mail unless
absolutely necessary.*