Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii


Reported on

Jun 2nd 2021

✍️ Description

The /export/export endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users.

🕵️‍♂️ Proof of Concept

  • Login to user account.
  • Create the following file and open the page in browser.
// PoC.html
        To verify that you are a human, upload the file that has been downloaded from our website now.
        <a href="">Download Test File</a>
  • This downloads user's data from the application without user's permission. An attacker can then spoof the user to upload this file into an attacker controlled server.

💥 Impact

Potential private information leakage through phishing by exploiting missing CSRF token.

Jamie Slome
a year ago


I have contacted the maintainer privately via e-mail and we will await a response from them.

James Cole validated this vulnerability a year ago
Oomb has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole
a year ago


Valid issue. Thanks again. I have pushed a commit that should fix this. I would appreciate if somebody verifies it works, then I can release 5.5.12 to fix it (with proper credits in the changelog etc)

Jamie Slome
a year ago


No worries James.

@oomb, can you please check the patch?

a year ago


James, The fix looks good to me. I think you can proceed with release. Thank you for your quick response.

James Cole confirmed that a fix has been merged on 530332 a year ago
has been awarded the fix bounty
a year ago



to join this conversation