Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Valid

Reported on

Nov 23rd 2021


Description

CSRF in switching transactions link

Proof of Concept

<a href="http://10.0.2.15/transactions/link/switch/{id}">CLICK ME!</a>

Impact

This vulnerability is capable of tricking users to switch transaction links.

We are processing your report and will contact the firefly-iii team within 24 hours. 11 days ago
haxatron modified their report
11 days ago
haxatron modified their report
11 days ago
We have contacted a member of the firefly-iii team and are waiting to hear back 10 days ago
James Cole validated this vulnerability 10 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole confirmed that a fix has been merged on 518b4b 10 days ago
James Cole has been awarded the fix bounty
web.php#L1080L1081 has been validated
LinkController.php#L160L166 has been validated
show.js#L1L99 has been validated
Jamie Slome
3 days ago

Admin


CVE published! 🎊