Miggo Logo
Miggo Vulnerability Database
CVE-2021-4015

CVE-2021-4015: firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-4015
GHSA ID
GHSA-g6vq-wc8w-4g69
EPSS Score
0.3142%
CWE
CWE-352
Published
12/6/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
grumpydictator/firefly-iiicomposer< 5.6.55.6.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using GET requests for state-changing operations. The patch fixes CSRF by changing HTTP methods to POST for these endpoints. Each modified route corresponds to a controller method that was previously accessible via GET/ANY methods without proper CSRF protection. The routes file modifications directly map to vulnerable controller actions that perform sensitive operations like financial rescanning, 2FA management, and data linking.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ir**ly-iii is vuln*r**l* to *ross-Sit* R*qu*st *or**ry (*SR*).

Reasoning

T** vuln*r**ility st*ms *rom usin* **T r*qu*sts *or st*t*-***n*in* op*r*tions. T** p*t** *ix*s *SR* *y ***n*in* `*TTP` m*t*o*s to `POST` *or t**s* *n*points. **** mo*i*i** rout* *orr*spon*s to * *ontroll*r m*t*o* t**t w*s pr*viously ****ssi*l* vi* **