Iii Security Vulnerabilities

CVE-2019-13644

Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page. NOTE: It is asserted that an attacker must have the same...

CVE-2019-13645

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing. NOTE: It is asserted that an attacker must have the same access rights as the user in...

CVE-2019-13646

Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the...

CVE-2019-13647

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing. NOTE: It is asserted that an attacker must have the same access rights as the user in....

CVE-2024-22075

Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML...

CVE-2023-1788

Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to...

CVE-2023-1789

Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to...

CVE-2023-0298

Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to...

CVE-2021-4005

firefly-iii is vulnerable to Cross-Site Request Forgery...

CVE-2021-4015

firefly-iii is vulnerable to Cross-Site Request Forgery...

CVE-2021-3921

firefly-iii is vulnerable to Cross-Site Request Forgery...

CVE-2021-3901

firefly-iii is vulnerable to Cross-Site Request Forgery...

CVE-2021-3900

firefly-iii is vulnerable to Cross-Site Request Forgery...

CVE-2021-3851

firefly-iii is vulnerable to URL Redirection to Untrusted...

CVE-2021-3846

firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous...

CVE-2021-3819

firefly-iii is vulnerable to Cross-Site Request Forgery...

CVE-2021-3728

firefly-iii is vulnerable to Cross-Site Request Forgery...

CVE-2021-3730

firefly-iii is vulnerable to Cross-Site Request Forgery...

CVE-2021-3729

firefly-iii is vulnerable to Cross-Site Request Forgery...

CVE-2021-3663

firefly-iii is vulnerable to Improper Restriction of Excessive Authentication...

CVE-2014-5138

Innovative Interfaces Sierra Library Services Platform 1.2_3 does not properly handle query strings with multiple instances of the same parameter, which allows remote attackers to bypass parameter validation via unspecified vectors, possibly related to the Webpac Pro...

CVE-2019-14672

Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the liability name field. The JavaScript code is executed upon an error condition during a visit to the account show...

CVE-2019-14670

Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. The JavaScript code is executed during rule-from-bill...

CVE-2019-14671

Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and...

CVE-2019-14669

Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the asset account name. The JavaScript code is executed during a visit to the audit account statistics...

CVE-2019-14668

Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the transaction description field. The JavaScript code is executed during deletion of a transaction...

CVE-2019-14667

Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction...

CVE-2014-2081

Multiple SQL injection vulnerabilities in the login in web_reports/cgi-bin/InfoStation.cgi in Innovative vtls-Virtua before 2013.2.4 and 2014.x before 2014.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password...

CVE-2014-5137

Innovative Interfaces Sierra Library Services Platform 1.2_3 provides different responses for login request depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of login requests, possibly related to the Webpac Pro...

CVE-2014-5136

Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified...

CVE-2014-5128

Innovative Interfaces Encore Discovery Solution 4.3 places a session token in the URI, which might allow remote attackers to obtain sensitive information via unspecified...

CVE-2014-5127

Open redirect vulnerability in Innovative Interfaces Encore Discovery Solution 4.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified...