Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Valid

Reported on

Nov 23rd 2021


Description

CSRF in switching transactions link

Proof of Concept

<a href="http://10.0.2.15/transactions/link/switch/{id}">CLICK ME!</a>

Impact

This vulnerability is capable of tricking users to switch transaction links.

We are processing your report and will contact the firefly-iii team within 24 hours. 5 days ago
haxatron modified their report
5 days ago
haxatron modified their report
5 days ago
We have contacted a member of the firefly-iii team and are waiting to hear back 4 days ago
James Cole validated this vulnerability 4 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole confirmed that a fix has been merged on 518b4b 4 days ago
James Cole has been awarded the fix bounty
web.php#L1080L1081 has been validated
LinkController.php#L160L166 has been validated
show.js#L1L99 has been validated