Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Valid

Reported on

Sep 19th 2021


Description

Hello dear firefly-iii team

I found some CSRFs with low priority in firefly-iii

Occurences

disable/enable any currency

disable/enable any currency

disable/enable any currency

clone any transaction

Attackers able to clone any transaction

disable/enable any currency

clone any transaction

clone any transaction

disable/enable any currency

We have contacted a member of the firefly-iii team and are waiting to hear back 2 months ago
James Cole
2 months ago

That's three, right? disable, enable, clone. I'll check it out :+1:

amammad
2 months ago

Researcher


Yah clone transactions and enable/disable currencies

James Cole validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole confirmed that a fix has been merged on 578f35 2 months ago
James Cole has been awarded the fix bounty
index.js#L1-L43 has been validated
web.php#L341-L342 has been validated
index.js#L1-L29 has been validated
web.php#L1015 has been validated
show.twig#L1-L432 has been validated
Jamie Slome
2 months ago

Admin


CVE published! 🎊