Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii


Reported on

Oct 23rd 2021


there is a CSRF on Run rules again action

Proof of Concept

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="submit" value="Submit request" />
We have contacted a member of the firefly-iii team and are waiting to hear back a year ago
James Cole validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole confirmed that a fix has been merged on b42d8d a year ago
James Cole has been awarded the fix bounty
show.twig#L99-L129 has been validated
ShowController.php#L83-L97 has been validated
James Cole
a year ago

Nice find, fixed!

Jamie Slome
a year ago


CVE published! 🎊

to join this conversation