#VU71371 Improper Authorization in firefly-iii


Published: 2023-01-20

Vulnerability identifier: #VU71371

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2023-0298

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
firefly-iii
Other software / Other software solutions

Vendor: James Cole

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper authorization. A remote user can bypass authorization and unblock previously blocked users.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

firefly-iii: 5.7.0 - 5.7.18

External links
http://github.com/firefly-iii/firefly-iii/commit/db0500dcf0d4f1990fc7a377ef0d56c3884fcaa4
http://huntr.dev/bounties/9689052c-c1d7-4aae-aa08-346c9b6e04ed

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Improper Authorization in Firefly III