GHSA-29w6-c52g-m8jc – grumpydictator/firefly-iii

Package

Manager: composer
Name: grumpydictator/firefly-iii
Vulnerable Version: >=0 <6.1.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

C5 Firefly III CSV Injection. ### Summary CSV injection is a vulnerability where untrusted user input in CSV files can lead to unauthorized access or data manipulation. In my subsequent testing of the application. ### Details I discovered that there is an option to "Export Data" from the web app to your personal computer, which exports a "csv" file that can be opened with Excel software that supports macros. P.S I discovered that the web application's is offering a demo-site that anyone may access to play with the web application. So, there's a chance that someone will export the data (CVS) from the demo site and execute it on their PC, giving the malicious actor a complete control over their machine. (if a user enters a malicious payload to the website). ### PoC You can check out my vulnerability report if you need more details/PoC with screenshots: (removed by JC5) ### Impact An attacker can exploit this by entering a specially crafted payload to one of the fields, and when a user export the csv file using the "Export Data" function, the attacker can potentiality can RCE. ### Addendum by JC5, the developer of Firefly III There is zero impact on normal users, even on vulnerable versions.

Metadata

Created: 2024-01-31T18:05:46Z
Modified: 2024-01-31T18:05:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-29w6-c52g-m8jc/GHSA-29w6-c52g-m8jc.json
CWE IDs: []
Alternative ID: N/A
Finding: F090
Auto approve: 1