CVE-2019-14671 – grumpydictator/firefly-iii

Package

Manager: composer
Name: grumpydictator/firefly-iii
Vulnerable Version: >=0 <4.7.17.4

Severity

Level: Low

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00053 pctl0.16129

Details

Improper Input Validation in Firefly III Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and import/create/fints.

Metadata

Created: 2021-09-08T17:27:07Z
Modified: 2021-07-22T21:50:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-jjcx-999m-35hc/GHSA-jjcx-999m-35hc.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-jjcx-999m-35hc
Finding: F184
Auto approve: 1