grumpydictator/firefly-iii is vulnerable to cross-site scripting (XSS). The attack exists because it does not validate the file name provided by the user, allowing an attacker to inject a malicious script through it to get executed during editing of attachments/edit/$file_id$ attachment
.
CPE | Name | Operator | Version |
---|---|---|---|
grumpydictator/firefly-iii | le | 4.1.17.2 |