Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Valid

Reported on

Nov 23rd 2021


Description

CSRF in switching transactions link

Proof of Concept

<a href="http://10.0.2.15/transactions/link/switch/{id}">CLICK ME!</a>

Impact

This vulnerability is capable of tricking users to switch transaction links.

We are processing your report and will contact the firefly-iii team within 24 hours. a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
We have contacted a member of the firefly-iii team and are waiting to hear back a year ago
James Cole validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole marked this as fixed in 5.6.4 with commit 518b4b a year ago
James Cole has been awarded the fix bounty
This vulnerability will not receive a CVE
web.php#L1080L1081 has been validated
LinkController.php#L160L166 has been validated
show.js#L1L99 has been validated
Jamie Slome
a year ago

Admin


CVE published! 🎊

to join this conversation