Miggo Logo
Miggo Vulnerability Database
CVE-2023-1789

CVE-2023-1789: Firefly III vulnerable to improper input validation

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-1789
GHSA ID
GHSA-mwxw-hxvp-4r2r
EPSS Score
0.10216%
CWE
CWE-20
Published
4/1/2023
Updated
4/15/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
grumpydictator/firefly-iiicomposer< 6.0.06.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input sanitization in currency handling operations. The patch adds critical security measures: 1) e() function (HTML escaping) for text fields, 2) strict type casting for numeric/boolean fields. The affected functions directly process user-controlled input (currency properties) without these protections in vulnerable versions. The commit's explicit addition of these sanitization steps to these specific functions confirms their vulnerable state prior to 6.0.0.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ir**ly III v*rsions prior to *.*.* *r* vuln*r**l* to improp*r input v*li**tion.

Reasoning

T** vuln*r**ility st*ms *rom missin* input s*nitiz*tion in *urr*n*y **n*lin* op*r*tions. T** p*t** ***s *riti**l s**urity m**sur*s: *) `*()` *un*tion (*TML *s**pin*) *or t*xt *i*l*s, *) stri*t typ* **stin* *or num*ri*/*ool**n *i*l*s. T** *****t** *un