Headline
CVE-2021-4005: Cross-Site Request Forgery (CSRF) in firefly-iii
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
Valid
Reported on
Nov 23rd 2021
Description
CSRF to disable 2FA
Proof of Concept
<a href="http://10.0.2.15/profile/delete-code">CLICK ME!</a>
Impact
This vulnerability is capable of tricking users to disable 2FA.
We are processing your report and will contact the firefly-iii team within 24 hours. 11 days ago
haxatron
commented 11 days ago
Researcher
My apologies for submitting the reports earlier regarding /debug and /flush. I was under the assumption that the /debug and /flush was available to only admin users, as the /flush UI only appeared in the Administration panel.
haxatron
commented 11 days ago
Researcher
With further testing on the application after I made the reports, I discovered another CSRF unprotected endpoint which allows for a state-change, the endpoint is as listed above.
Nice find, that’s an important one to fix. No worries about the other endpoints, keep it up!
James Cole validated this vulnerability 11 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Are we able to mark a fix against this report, and we can go ahead and publish the CVE!
Not yet I completely forgot about it. :D
No worries, take your time! 🤝
We are processing your report and will contact the firefly-iii team within 24 hours. 11 days ago
haxatron
commented 11 days ago
Researcher
My apologies for submitting the reports earlier regarding /debug and /flush. I was under the assumption that the /debug and /flush was available to only admin users, as the /flush UI only appeared in the Administration panel.
haxatron
commented 11 days ago
Researcher
With further testing on the application after I made the reports, I discovered another CSRF unprotected endpoint which allows for a state-change, the endpoint is as listed above.
Nice find, that’s an important one to fix. No worries about the other endpoints, keep it up!
James Cole validated this vulnerability 11 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Are we able to mark a fix against this report, and we can go ahead and publish the CVE!
Not yet I completely forgot about it. :D
No worries, take your time! 🤝