Lucene search
Haxatron909E55B6-EF02-4143-92E4-BC3E8397DB76HistoryOct 23, 2021 - 6:36 a.m.
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
2021-10-2306:36:27
haxatron
www.huntr.dev
15
csrf
vulnerability
firefly-iii
admin users
duplicate rules
modify
rule group order
EPSS
0.001
Percentile
31.0%
Description
No CSRF in duplicate rule, and modifying the order of the rule group
Proof of Concept
<a href="https://demo.firefly-iii.org/rules/duplicate/1">Click Me!</a>
<a href="https://demo.firefly-iii.org/rule-groups/up/1">Click Me!</a>
<a href="https://demo.firefly-iii.org/rule-groups/down/1">Click Me!</a>
Impact
This vulnerability is capable of tricking admin users to duplicate rule and modifying order of rule groups
Permalinks selected with reference to this report: https://huntr.dev/bounties/da82f7b6-4ffc-4109-87a4-a2a790bd44e5/
Related
veracode
veracode
Cross-Site Request Forgery (CSRF)
2021-10-28 03:40:30
cvelist
cvelist
CVE-2021-3900 Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
2021-10-27 17:45:11
nvd
nvd
CVE-2021-3900
2021-10-27 18:15:07
osv
osv
CVE-2021-3900
2021-10-27 18:15:07
Cross-Site Request Forgery in firefly-iii
2021-10-28 23:14:21
github
github
Cross-Site Request Forgery in firefly-iii
2021-10-28 23:14:21
cve
cve
CVE-2021-3900
2021-10-27 18:15:07
prion
prion
Cross site request forgery (csrf)
2021-10-27 18:15:00