CVE-2021-3730: firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
6.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.30404%
CWE
Published
8/25/2021
Updated
7/6/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
grumpydictator/firefly-iii | composer | < 5.6.0 | 5.6.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from handling destructive operations via GET requests without CSRF protection. The patch changed the route from GET to POST, added CSRF token validation
in the JavaScript handler, and modified the controller to retrieve ID from POST data instead of direct object binding. The original controller method was vulnerable because it executed destructive actions through GET requests which are inherently unsafe for state-changing operations and lack CSRF token validation
.