Improper Neutralization of Formula Elements in a CSV File in Firefly III - #VU132079
Published: January 31, 2024 / Updated: May 21, 2026
Vulnerability identifier: #VU132079
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-1236
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: James Cole
Affected software:
Firefly III
Firefly III
Detailed vulnerability description
The vulnerability allows a local privileged user to execute arbitrary code.
The vulnerability exists due to improper neutralization of formula elements in a csv file in the Export Data feature when exporting user-controlled data to csv files that are opened in spreadsheet software. A local privileged user can enter a specially crafted payload into an exported field to execute arbitrary code.
User interaction is required to export the csv file and open it in spreadsheet software.
Remediation
Install security update from vendor's website.