grumpydictator/firefly-iii
Packagist22 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting grumpydictator/firefly-iiipage 1 of 1
- CVE-2019-13644MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.7.17.12019-07-18
vulnerable: 3.0.0 ... 4.7.9 (156 versions)
Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page. NO…
- CVE-2019-13645MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.7.17.32019-07-18
vulnerable: 3.0.0 ... 4.7.9 (158 versions)
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing. NOTE: It is asserted that an…
- CVE-2019-13646MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.7.17.32019-07-18
vulnerable: 3.0.0 ... 4.7.9 (158 versions)
Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute…
- CVE-2019-13647MEDIUMCVSS 5.4EG 5.4✓ Fixed in 4.7.17.32019-07-18
vulnerable: 3.0.0 ... 4.7.9 (158 versions)
Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing. NOTE: It is asserted that …
- CVE-2019-14671LOWCVSS 3.3EG 3.3✓ Fixed in 4.7.17.42019-08-05
vulnerable: 3.0.0 ... 4.7.9 (159 versions)
Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and i…
- CVE-2021-3663HIGHCVSS 7.5EG 7.5✓ Fixed in 5.5.132021-07-25
vulnerable: 3.0.0 ... 5.5.9 (243 versions)
firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts
- CVE-2021-3728MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.6.02021-08-23
vulnerable: 3.0.0 ... 5.6.0-alpha.2 (246 versions)
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3729MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.6.02021-08-23
vulnerable: 3.0.0 ... 5.6.0-alpha.2 (246 versions)
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3730MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.6.02021-08-23
vulnerable: 3.0.0 ... 5.6.0-alpha.2 (246 versions)
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3819HIGHCVSS 8.8EG 8.8✓ Fixed in 5.6.12021-09-27
vulnerable: 3.0.0 ... 5.6.0-alpha.2 (247 versions)
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3846HIGHCVSS 8.8EG 8.8✓ Fixed in 5.6.22021-10-19
vulnerable: 3.0.0 ... 5.6.1 (248 versions)
firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type
- CVE-2021-3851MEDIUMCVSS 5.4EG 5.4✓ Fixed in 5.6.22021-10-19
vulnerable: 3.0.0 ... 5.6.1 (248 versions)
firefly-iii is vulnerable to URL Redirection to Untrusted Site
- CVE-2021-3900MEDIUMCVSS 6.5EG 6.52021-10-27
vulnerable: 3.0.0 ... 5.6.2 (249 versions)
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3901HIGHCVSS 8.8EG 3.52021-10-27
vulnerable: 3.0.0 ... 5.6.2 (249 versions)
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-3921MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.6.32021-11-13
vulnerable: 3.0.0 ... 5.6.2 (249 versions)
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-4005MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.6.52021-12-04
vulnerable: 3.0.0 ... 5.6.4 (251 versions)
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2021-4015MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.6.52021-12-01
vulnerable: 3.0.0 ... 5.6.4 (251 versions)
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
- CVE-2023-0298MEDIUMCVSS 6.5EG 6.5✓ Fixed in 5.8.02023-01-14
vulnerable: 3.0.0 ... 5.8.0-alpha.1 (283 versions)
Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.
- CVE-2023-1788CRITICALCVSS 9.8EG 9.8✓ Fixed in 6.0.02023-04-05
vulnerable: 3.0.0 ... v6.0.0-beta.2 (287 versions)
Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6.
- CVE-2023-1789CRITICALCVSS 9.8EG 9.8✓ Fixed in 6.0.02023-04-01
vulnerable: 3.0.0 ... v6.0.0-beta.2 (287 versions)
Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0.
- CVE-2024-22075MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.1.12024-01-05
vulnerable: 3.0.0 ... v6.1.0-alpha.1 (320 versions)
Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.
- CVE-2024-37893MEDIUMCVSS 5.9EG 5.9✓ Fixed in 6.1.172024-06-17
vulnerable: 3.0.0 ... v6.1.9 (336 versions)
Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gai…
Check whether grumpydictator/firefly-iii is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for grumpydictator/firefly-iii CVEs against the assets you own.
Start Free Scan →