PT-2019-13773 · Firefly Iii · Firefly-Iii

0X2500

Published

2019-08-05

Updated

2021-09-08

CVE-2019-14671

CVSS v3.1

3.3

Low

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Firefly III version 4.7.17.3

Description The issue allows an attacker to enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints url in import/job/configuration and import/create/fints.

Recommendations For Firefly III version 4.7.17.3, consider restricting access to the fints url parameter in the import/job/configuration and import/create/fints endpoints to minimize the risk of exploitation. Additionally, as a temporary workaround, consider sanitizing the protocol scheme for file:/// URLs to prevent local file enumeration.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2019-14671

GHSA-JJCX-999M-35HC

Affected Products

Firefly-Iii

PT-2019-13773 · Firefly Iii · Firefly-Iii

CVE-2019-14671

Weakness Enumeration

Related Identifiers

Affected Products

References · 5