CVE-2019-13644

Name of the Vulnerable Software and Affected Versions Firefly III versions prior to 4.7.17.1

Description The issue is related to stored XSS due to the lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction and is executed on the "tags/show/$tag number$" tag summary page. An attacker must have the same access rights as the user to execute the vulnerability.

Recommendations For versions prior to 4.7.17.1, update to version 4.7.17.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the tag summary page or limiting the ability to create transactions with user-supplied data in budget names until the update is applied.