Vulnerability identifier: #VU71371
Vulnerability risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-285
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
firefly-iii
Other software /
Other software solutions
Vendor: James Cole
Description
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to improper authorization. A remote user can bypass authorization and unblock previously blocked users.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
firefly-iii: 5.7.0 - 5.7.18
External links
http://github.com/firefly-iii/firefly-iii/commit/db0500dcf0d4f1990fc7a377ef0d56c3884fcaa4
http://huntr.dev/bounties/9689052c-c1d7-4aae-aa08-346c9b6e04ed
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.