CVE-2024-37893

Name of the Vulnerable Software and Affected Versions Firefly III versions prior to 6.1.17

Description An MFA bypass exists in the OAuth flow of Firefly III, which allows malicious users to circumvent the multi-factor authentication check. This flaw enables attackers to use password spraying—a technique where common passwords are tried against many accounts—to gain access to data using credentials stolen from other sources. Because OAuth applications use an incrementing ID, they are easily enumerable, allowing an attacker to potentially register an OAuth application to a user's profile. Successful exploitation requires the attacker to possess the victim's username and password.

Recommendations Update to version 6.1.17 or later. Use a unique password for the instance and store it securely in a password manager.