Miggo Logo

CVE-2021-3730: firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

6.5

CVSS Score
3.0

Basic Information

EPSS Score
0.30404%
Published
8/25/2021
Updated
7/6/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
grumpydictator/firefly-iiicomposer< 5.6.05.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from handling destructive operations via GET requests without CSRF protection. The patch changed the route from GET to POST, added CSRF token validation in the JavaScript handler, and modified the controller to retrieve ID from POST data instead of direct object binding. The original controller method was vulnerable because it executed destructive actions through GET requests which are inherently unsafe for state-changing operations and lack CSRF token validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ir**ly-iii is vuln*r**l* to *ross-Sit* R*qu*st *or**ry (*SR*)

Reasoning

T** vuln*r**ility st*mm** *rom **n*lin* **stru*tiv* op*r*tions vi* **T r*qu*sts wit*out *SR* prot**tion. T** p*t** ***n*** t** rout* *rom **T to POST, ***** *SR* tok*n `v*li**tion` in t** J*v*S*ript **n*l*r, *n* mo*i*i** t** *ontroll*r to r*tri*v* I*