Lucene search

GitHub Advisory DatabaseGHSA-MRC2-H7Q2-PP97

HistoryMay 24, 2022 - 4:50 p.m.

Firefly III vulnerable to reflected cross-site scripting

2022-05-2416:50:37

CWE-79

GitHub Advisory Database

github.com

firefly iii

vulnerability

reflected xss

filtration

search query

software

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.

Affected configurations

Vulners

Node

grumpydictatorfirefly-iiiRange<4.7.17.3

VendorProductVersionCPE
grumpydictatorfirefly-iii*cpe:2.3:a:grumpydictator:firefly-iii:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
grumpydictator	firefly-iii	*	cpe:2.3:a:grumpydictator:firefly-iii::::::::

References

github.com/advisories/GHSA-mrc2-h7q2-pp97

github.com/firefly-iii/firefly-iii/commit/f795cb07e1bb9ad3bd0dceeafbb0ece4ebe518d7

github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa

github.com/firefly-iii/firefly-iii/issues/2339

nvd.nist.gov/vuln/detail/CVE-2019-13646

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

Related for GHSA-MRC2-H7Q2-PP97