4

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-29w6-c52g-m8jc

EPSS Score

CWE

Published

1/31/2024

Updated

1/31/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-29w6-c52g-m8jc

GHSA-29w6-c52g-m8jc: C5 Firefly III CSV Injection.

Summary

CSV injection is a vulnerability where untrusted user input in CSV files can lead to unauthorized access or data manipulation. In my subsequent testing of the application.

Details

I discovered that there is an option to "Export Data" from the web app to your personal computer, which exports a "csv" file that can be opened with Excel software that supports macros.

P.S I discovered that the web application's is offering a demo-site that anyone may access to play with the web application. So, there's a chance that someone will export the data (CVS) from the demo site and execute it on their PC, giving the malicious actor a complete control over their machine. (if a user enters a malicious payload to the website).

PoC

You can check out my vulnerability report if you need more details/PoC with screenshots: (removed by JC5)

Impact

An attacker can exploit this by entering a specially crafted payload to one of the fields, and when a user export the csv file using the "Export Data" function, the attacker can potentiality can RCE.

Addendum by JC5, the developer of Firefly III

There is zero impact on normal users, even on vulnerable versions.

(GitHub Advisory)

4

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-29w6-c52g-m8jc

EPSS Score

CWE

Published

1/31/2024

Updated

1/31/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
grumpydictator/firefly-iii	composer	< 6.1.7	6.1.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The provided vulnerability information describes a CSV injection risk in Firefly III's export functionality, but does not include specific code references, commit diffs, or patching details. While the core issue likely resides in CSV data formatting functions that fail to properly sanitize user-controlled input (e.g., escaping formula-initiating characters like =, -, @), the advisory and description lack concrete evidence of specific function names or file paths. The absence of code context or patch information makes it impossible to identify vulnerable functions with high confidence. A proper analysis would require examining the CSV generation logic in versions <6.1.7 to locate missing input sanitization routines.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *SV inj**tion is * vuln*r**ility w**r* untrust** us*r input in *SV *il*s **n l*** to un*ut*oriz** ****ss or **t* m*nipul*tion. In my su*s*qu*nt t*stin* o* t** *ppli**tion. ### **t*ils I *is*ov*r** t**t t**r* is *n option to "*xport **t*

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s * *SV inj**tion risk in *ir**ly III's *xport *un*tion*lity, *ut *o*s not in*lu** sp**i*i* *o** r***r*n**s, *ommit *i**s, or p*t**in* **t*ils. W*il* t** *or* issu* lik*ly r*si**s in *SV **t* *orm*ttin*

4

Basic Information

Concerned about an active attack path?

GHSA-29w6-c52g-m8jc: C5 Firefly III CSV Injection.

Summary

Details

PoC

Impact

Addendum by JC5, the developer of Firefly III

4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI