HTML Injection in add expense via transaction tab in firefly-iii/firefly-iii


Reported on

Jan 14th 2023

Steps to reproduce

  • After login into demo account, Go to the transaction page and there your can add or create an expense
  • If your on the write path, while creating or adding an expense there will be description field
  • In the Description field, enter the following payload <marquee onclick=\u0041\u006cert("_Y000!_")>Y00</marquee> and click save
  • Now, you can have a look at the proof of concept below where our HTML code got executed and its running

Proof of concept


It can allow an attacker to modify the page. To steal another person's identity. The attacker discovers injection vulnerability and decides to use an HTML injection attack. Attacker crafts malicious links, including his injected HTML content, and sends it to a user via email

We are processing your report and will contact the firefly-iii team within 24 hours. 3 months ago
Nithissh12 modified the report
3 months ago
We have contacted a member of the firefly-iii team and are waiting to hear back 3 months ago
James Cole validated this vulnerability 3 months ago
Nithissh12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
James Cole marked this as fixed in 6.0.0 with commit e7a1ad 3 months ago
James Cole has been awarded the fix bounty
This vulnerability will not receive a CVE
James Cole published this vulnerability 3 months ago
SetDescription.php#L52-L67 has been validated
3 months ago


Why this vulnerability has no CVE ?

James Cole
3 months ago


They told me that if a vulnerability is only self-inflicted (you break it for yourself and nobody else) then no CVE.

to join this conversation