Filtered by vendor Firefly-iii
Subscriptions
Filtered by product Firefly Iii
Subscriptions
Total
27 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-37893 | 1 Firefly-iii | 1 Firefly Iii | 2025-07-12 | 5.9 Medium |
| Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager. | ||||
| CVE-2024-22075 | 1 Firefly-iii | 1 Firefly Iii | 2025-06-05 | 6.1 Medium |
| Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection. | ||||
| CVE-2023-0298 | 1 Firefly-iii | 1 Firefly Iii | 2025-04-07 | 6.5 Medium |
| Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0. | ||||
| CVE-2023-1789 | 1 Firefly-iii | 1 Firefly Iii | 2025-02-11 | 9.8 Critical |
| Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0. | ||||
| CVE-2023-1788 | 1 Firefly-iii | 1 Firefly Iii | 2025-02-10 | 9.8 Critical |
| Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6. | ||||
| CVE-2021-4015 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 4.3 Medium |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-4005 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 4.3 Medium |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3921 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 4.3 Medium |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3901 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 8.8 High |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3900 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 6.5 Medium |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3851 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 5.4 Medium |
| firefly-iii is vulnerable to URL Redirection to Untrusted Site | ||||
| CVE-2021-3846 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 8.8 High |
| firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Type | ||||
| CVE-2021-3819 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 8.8 High |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3730 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 6.5 Medium |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3729 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 4.3 Medium |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3728 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 6.5 Medium |
| firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF) | ||||
| CVE-2021-3663 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | 7.5 High |
| firefly-iii is vulnerable to Improper Restriction of Excessive Authentication Attempts | ||||
| CVE-2019-14672 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | N/A |
| Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the liability name field. The JavaScript code is executed upon an error condition during a visit to the account show page. | ||||
| CVE-2019-14671 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | N/A |
| Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and import/create/fints. | ||||
| CVE-2019-14670 | 1 Firefly-iii | 1 Firefly Iii | 2024-11-21 | N/A |
| Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. The JavaScript code is executed during rule-from-bill creation. | ||||