Miggo Logo
Miggo Vulnerability Database
CVE-2021-3730

CVE-2021-3730:
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2021-3730
GHSA ID
GHSA-c676-mcw3-qg55
EPSS Score
0.30404%
CWE
CWE-352
Published
8/25/2021
Updated
7/6/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
grumpydictator/firefly-iiicomposer< 5.6.05.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from handling destructive operations via GET requests without CSRF protection. The patch changed the route from GET to POST, added CSRF token validation in the JavaScript handler, and modified the controller to retrieve ID from POST data instead of direct object binding. The original controller method was vulnerable because it executed destructive actions through GET requests which are inherently unsafe for state-changing operations and lack CSRF token validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ir**ly-iii is vuln*r**l* to *ross-Sit* R*qu*st *or**ry (*SR*)

Reasoning

T** vuln*r**ility st*mm** *rom **n*lin* **stru*tiv* op*r*tions vi* **T r*qu*sts wit*out *SR* prot**tion. T** p*t** ***n*** t** rout* *rom **T to POST, ***** *SR* tok*n `v*li**tion` in t** J*v*S*ript **n*l*r, *n* mo*i*i** t** *ontroll*r to r*tri*v* I*