Name of the Vulnerable Software and Affected Versions Firefly III (affected versions not specified)

Description The issue allows unauthorized access or data manipulation through CSV injection, where untrusted user input in CSV files can lead to malicious actions. The web application has an "Export Data" option that exports a CSV file, which can be opened with Excel software that supports macros. This poses a risk if a user exports data from a demo site and executes it on their PC, potentially giving a malicious actor control over their machine. An attacker can exploit this by entering a specially crafted payload into one of the fields, and when a user exports the CSV file, the attacker can potentially achieve remote code execution (RCE).

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.