CVE-2019-13645: Firefly III vulnerable to stored XSS
5.4
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.43188%
CWE
Published
5/24/2022
Updated
7/7/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
grumpydictator/firefly-iii | composer | < 4.7.17.3 | 4.7.17.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped output of user-controlled file names in the attachment edit template. The commit diff shows the fix added Twig's |escape filter to attachment.filename
and attachment.mime
parameters passed to ExpandedForm.staticText
. This indicates the staticText
helper was directly outputting raw user input without contextual escaping, making it susceptible to XSS when rendering malicious file names. The function
's role in displaying unvalidated user input in the UI makes it the clear injection point.