Lookup for vulnerable packages by Package URL.
| Purl | pkg:composer/grumpydictator/firefly-iii@4.7.2 |
|---|
| Type | composer |
|---|
| Namespace | grumpydictator |
|---|
| Name | firefly-iii |
|---|
| Version | 4.7.2 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 5.4.5 |
|---|
| Latest_non_vulnerable_version | 6.5.1 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-7j5p-xwqv-k3cf |
| vulnerability_id |
VCID-7j5p-xwqv-k3cf |
| summary |
Cross-site Scripting
Firefly III is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during `attachments/edit/$file_id$` attachment editing. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-13645, GHSA-5hpw-vcj2-prwg
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7j5p-xwqv-k3cf |
|
| 1 |
| url |
VCID-b23p-cn7c-k7av |
| vulnerability_id |
VCID-b23p-cn7c-k7av |
| summary |
Cross-site Scripting
Firefly III is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during `attachments/view/$file_id$` attachment viewing. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-13647, GHSA-pcxq-28f6-m3fm
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b23p-cn7c-k7av |
|
| 2 |
| url |
VCID-q2aw-rbww-nqc7 |
| vulnerability_id |
VCID-q2aw-rbww-nqc7 |
| summary |
Cross-site Scripting
An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy headers are disabled. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-27981
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q2aw-rbww-nqc7 |
|
| 3 |
| url |
VCID-v776-99j4-mua2 |
| vulnerability_id |
VCID-v776-99j4-mua2 |
| summary |
Cross-site Scripting
Firefly III is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the `tags/show/$tag_number$` tag summary page. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2019-13644, GHSA-9xmx-rj7j-fv9q
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v776-99j4-mua2 |
|
| 4 |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@4.7.2 |
|---|