Miggo Logo

CVE-2019-13645: Firefly III vulnerable to stored XSS

5.4

CVSS Score
3.0

Basic Information

EPSS Score
0.43188%
Published
5/24/2022
Updated
7/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
grumpydictator/firefly-iiicomposer< 4.7.17.34.7.17.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped output of user-controlled file names in the attachment edit template. The commit diff shows the fix added Twig's |escape filter to attachment.filename and attachment.mime parameters passed to ExpandedForm.staticText. This indicates the staticText helper was directly outputting raw user input without contextual escaping, making it susceptible to XSS when rendering malicious file names. The function's role in displaying unvalidated user input in the UI makes it the clear injection point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ir**ly III ***or* *.*.**.* is vuln*r**l* to stor** XSS *u* to l**k o* *iltr*tion o* us*r-suppli** **t* in im*** *il* n*m*s. T** J*v*S*ript *o** is *x**ut** *urin* *tt***m*nts/**it/$*il*_i*$ *tt***m*nt **itin*.

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** output o* us*r-*ontroll** *il* n*m*s in t** *tt***m*nt **it t*mpl*t*. T** *ommit *i** s*ows t** *ix ***** Twi*'s |*s**p* *ilt*r to `*tt***m*nt.*il*n*m*` *n* `*tt***m*nt.mim*` p*r*m*t*rs p*ss** to `*xp*n****orm.s