Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability
References
Link | Resource |
---|---|
https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa | Patch Third Party Advisory |
https://github.com/firefly-iii/firefly-iii/issues/2338 | Exploit Third Party Advisory |
https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa | Patch Third Party Advisory |
https://github.com/firefly-iii/firefly-iii/issues/2338 | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 04:25
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa - Patch, Third Party Advisory | |
References | () https://github.com/firefly-iii/firefly-iii/issues/2338 - Exploit, Third Party Advisory |
07 Nov 2023, 03:03
Type | Values Removed | Values Added |
---|---|---|
Summary | Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability |
Information
Published : 2019-07-18 03:15
Updated : 2024-11-21 04:25
NVD link : CVE-2019-13647
Mitre link : CVE-2019-13647
CVE.ORG link : CVE-2019-13647
JSON object : View
Products Affected
firefly-iii
- firefly_iii
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')