PT-2019-13773 · Firefly Iii · Firefly-Iii

0X2500

Publicado

2019-08-05

Atualizado

2021-09-08

CVE-2019-14671

CVSS v3.1

3.3

Baixa

Vetor

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Firefly III version 4.7.17.3

Description The issue allows an attacker to enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints url in import/job/configuration and import/create/fints.

Recommendations For Firefly III version 4.7.17.3, consider restricting access to the fints url parameter in the import/job/configuration and import/create/fints endpoints to minimize the risk of exploitation. Additionally, as a temporary workaround, consider sanitizing the protocol scheme for file:/// URLs to prevent local file enumeration.

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2019-14671

GHSA-JJCX-999M-35HC

Produtos afetados

Firefly-Iii

PT-2019-13773 · Firefly Iii · Firefly-Iii

CVE-2019-14671

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5