Miggo Logo

CVE-2021-3921: firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

5.4

CVSS Score
3.0

Basic Information

EPSS Score
0.31446%
Published
11/15/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
grumpydictator/firefly-iiicomposer< 5.6.35.6.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stemmed from the logout endpoint accepting any HTTP method (via Route::any). CSRF protections typically require state-changing operations to use protected methods like POST. The patch changed this to Route::post, enforcing method specificity. While template files were modified to add CSRF tokens and POST forms, the root vulnerability was in the route definition's HTTP method handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ir**ly-iii is vuln*r**l* to *ross-Sit* R*qu*st *or**ry (*SR*).

Reasoning

T** *or* vuln*r**ility st*mm** *rom t** lo*out *n*point ****ptin* *ny `*TTP` m*t*o* (vi* `Rout*::*ny`). *SR* prot**tions typi**lly r*quir* st*t*-***n*in* op*r*tions to us* prot**t** m*t*o*s lik* `POST`. T** p*t** ***n*** t*is to `Rout*::post`, *n*or*