Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/grumpydictator/firefly-iii@5.6.3
Typecomposer
Namespacegrumpydictator
Namefirefly-iii
Version5.6.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.1.17
Latest_non_vulnerable_version6.5.1
Affected_by_vulnerabilities
0
url VCID-2xs8-eknt-gyap
vulnerability_id VCID-2xs8-eknt-gyap
summary Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-1789
reference_id
reference_type
scores
0
value 0.00189
scoring_system epss
scoring_elements 0.40569
published_at 2026-06-07T12:55:00Z
1
value 0.00189
scoring_system epss
scoring_elements 0.40597
published_at 2026-06-06T12:55:00Z
2
value 0.00189
scoring_system epss
scoring_elements 0.40593
published_at 2026-06-05T12:55:00Z
3
value 0.00189
scoring_system epss
scoring_elements 0.40513
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-1789
1
reference_url https://github.com/firefly-iii/firefly-iii
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii
2
reference_url https://github.com/firefly-iii/firefly-iii/commit/6b05c0fbd3e8c40ae9b24dc2698821786fccf0c5
reference_id
reference_type
scores
0
value 5.2
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T16:44:17Z/
url https://github.com/firefly-iii/firefly-iii/commit/6b05c0fbd3e8c40ae9b24dc2698821786fccf0c5
3
reference_url https://github.com/firefly-iii/firefly-iii/pull/7043
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii/pull/7043
4
reference_url https://huntr.dev/bounties/2c3489f7-6b84-48f8-9368-9cea67cf373d
reference_id
reference_type
scores
0
value 5.2
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T16:44:17Z/
url https://huntr.dev/bounties/2c3489f7-6b84-48f8-9368-9cea67cf373d
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-1789
reference_id CVE-2023-1789
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-1789
6
reference_url https://github.com/advisories/GHSA-mwxw-hxvp-4r2r
reference_id GHSA-mwxw-hxvp-4r2r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mwxw-hxvp-4r2r
fixed_packages
0
url pkg:composer/grumpydictator/firefly-iii@5.7.18
purl pkg:composer/grumpydictator/firefly-iii@5.7.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5as2-q475-7fgv
1
vulnerability VCID-6ydw-rfb3-hbe3
2
vulnerability VCID-jfps-wzcx-vyfj
3
vulnerability VCID-t96s-982j-d3fr
4
vulnerability VCID-zyzb-95vu-bfbp
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.7.18
1
url pkg:composer/grumpydictator/firefly-iii@6.0.0
purl pkg:composer/grumpydictator/firefly-iii@6.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xs8-eknt-gyap
1
vulnerability VCID-5as2-q475-7fgv
2
vulnerability VCID-jfps-wzcx-vyfj
3
vulnerability VCID-zyzb-95vu-bfbp
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.0.0
2
url pkg:composer/grumpydictator/firefly-iii@6.0.1
purl pkg:composer/grumpydictator/firefly-iii@6.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5as2-q475-7fgv
1
vulnerability VCID-jfps-wzcx-vyfj
2
vulnerability VCID-zyzb-95vu-bfbp
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.0.1
aliases CVE-2023-1789, GHSA-mwxw-hxvp-4r2r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2xs8-eknt-gyap
1
url VCID-5as2-q475-7fgv
vulnerability_id VCID-5as2-q475-7fgv
summary 
Firefly III allows webhooks HTML Injection.
Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-22075
reference_id
reference_type
scores
0
value 0.00128
scoring_system epss
scoring_elements 0.31815
published_at 2026-06-05T12:55:00Z
1
value 0.00128
scoring_system epss
scoring_elements 0.31746
published_at 2026-06-07T12:55:00Z
2
value 0.00128
scoring_system epss
scoring_elements 0.31784
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-22075
1
reference_url https://github.com/firefly-iii/firefly-iii
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii
2
reference_url https://github.com/firefly-iii/firefly-iii/commit/28021aa711500bbada649de8fab9e72b4084ab21
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii/commit/28021aa711500bbada649de8fab9e72b4084ab21
3
reference_url https://github.com/firefly-iii/firefly-iii/releases/tag/v6.1.1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-17T16:31:14Z/
url https://github.com/firefly-iii/firefly-iii/releases/tag/v6.1.1
4
reference_url https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-22075
reference_id CVE-2024-22075
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-22075
6
reference_url https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire/
reference_id front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-17T16:31:14Z/
url https://www.sonarsource.com/blog/front-end-frameworks-when-bypassing-built-in-sanitization-might-backfire/
7
reference_url https://github.com/advisories/GHSA-vwv2-9wcj-64vx
reference_id GHSA-vwv2-9wcj-64vx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vwv2-9wcj-64vx
fixed_packages
0
url pkg:composer/grumpydictator/firefly-iii@6.1.1
purl pkg:composer/grumpydictator/firefly-iii@6.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jfps-wzcx-vyfj
1
vulnerability VCID-zyzb-95vu-bfbp
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.1.1
aliases CVE-2024-22075, GHSA-vwv2-9wcj-64vx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5as2-q475-7fgv
2
url VCID-6ydw-rfb3-hbe3
vulnerability_id VCID-6ydw-rfb3-hbe3
summary Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-1788
reference_id
reference_type
scores
0
value 0.00226
scoring_system epss
scoring_elements 0.45445
published_at 2026-06-07T12:55:00Z
1
value 0.00226
scoring_system epss
scoring_elements 0.45393
published_at 2026-06-04T12:55:00Z
2
value 0.00226
scoring_system epss
scoring_elements 0.45462
published_at 2026-06-05T12:55:00Z
3
value 0.00226
scoring_system epss
scoring_elements 0.45465
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-1788
1
reference_url https://github.com/firefly-iii/firefly-iii
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii
2
reference_url https://github.com/firefly-iii/firefly-iii/commit/68f398f97cbe1870fc098d8460bf903b9c3fab30
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T20:41:29Z/
url https://github.com/firefly-iii/firefly-iii/commit/68f398f97cbe1870fc098d8460bf903b9c3fab30
3
reference_url https://huntr.dev/bounties/79323c9e-e0e5-48ef-bd19-d0b09587ccb2
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-10T20:41:29Z/
url https://huntr.dev/bounties/79323c9e-e0e5-48ef-bd19-d0b09587ccb2
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-1788
reference_id CVE-2023-1788
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-1788
5
reference_url https://github.com/advisories/GHSA-h7vv-46p5-prmh
reference_id GHSA-h7vv-46p5-prmh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h7vv-46p5-prmh
fixed_packages
0
url pkg:composer/grumpydictator/firefly-iii@6.0.0
purl pkg:composer/grumpydictator/firefly-iii@6.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xs8-eknt-gyap
1
vulnerability VCID-5as2-q475-7fgv
2
vulnerability VCID-jfps-wzcx-vyfj
3
vulnerability VCID-zyzb-95vu-bfbp
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.0.0
aliases CVE-2023-1788, GHSA-h7vv-46p5-prmh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6ydw-rfb3-hbe3
3
url VCID-jfps-wzcx-vyfj
vulnerability_id VCID-jfps-wzcx-vyfj
summary 
Firefly III has a MFA bypass in oauth flow
A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to your Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-37893
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.08433
published_at 2026-06-07T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.08453
published_at 2026-06-06T12:55:00Z
2
value 0.00028
scoring_system epss
scoring_elements 0.08441
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-37893
1
reference_url https://github.com/firefly-iii/firefly-iii
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii
2
reference_url https://owasp.org/www-community/attacks/Password_Spraying_Attack
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-15T19:20:53Z/
url https://owasp.org/www-community/attacks/Password_Spraying_Attack
3
reference_url https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-15T19:20:53Z/
url https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-37893
reference_id CVE-2024-37893
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-37893
5
reference_url https://github.com/advisories/GHSA-4gm4-c4mh-4p7w
reference_id GHSA-4gm4-c4mh-4p7w
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4gm4-c4mh-4p7w
6
reference_url https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-4gm4-c4mh-4p7w
reference_id GHSA-4gm4-c4mh-4p7w
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-15T19:20:53Z/
url https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-4gm4-c4mh-4p7w
fixed_packages
0
url pkg:composer/grumpydictator/firefly-iii@6.1.17
purl pkg:composer/grumpydictator/firefly-iii@6.1.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.1.17
aliases CVE-2024-37893, GHSA-4gm4-c4mh-4p7w
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jfps-wzcx-vyfj
4
url VCID-pvmv-dy5p-pkbn
vulnerability_id VCID-pvmv-dy5p-pkbn
summary firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-4005
reference_id
reference_type
scores
0
value 0.00161
scoring_system epss
scoring_elements 0.36737
published_at 2026-06-04T12:55:00Z
1
value 0.00161
scoring_system epss
scoring_elements 0.36801
published_at 2026-06-07T12:55:00Z
2
value 0.00161
scoring_system epss
scoring_elements 0.36835
published_at 2026-06-06T12:55:00Z
3
value 0.00161
scoring_system epss
scoring_elements 0.36829
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-4005
1
reference_url https://github.com/firefly-iii/firefly-iii
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii
2
reference_url https://github.com/firefly-iii/firefly-iii/commit/03a1601bf343181df9f405dd2109aec483cb7053
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii/commit/03a1601bf343181df9f405dd2109aec483cb7053
3
reference_url https://huntr.dev/bounties/bf4ef581-325a-492d-a710-14fcb53f00ff
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/bf4ef581-325a-492d-a710-14fcb53f00ff
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-4005
reference_id CVE-2021-4005
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-4005
5
reference_url https://github.com/advisories/GHSA-hjhp-hwfj-hwf3
reference_id GHSA-hjhp-hwfj-hwf3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hjhp-hwfj-hwf3
fixed_packages
0
url pkg:composer/grumpydictator/firefly-iii@5.6.5
purl pkg:composer/grumpydictator/firefly-iii@5.6.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xs8-eknt-gyap
1
vulnerability VCID-5as2-q475-7fgv
2
vulnerability VCID-6ydw-rfb3-hbe3
3
vulnerability VCID-jfps-wzcx-vyfj
4
vulnerability VCID-t96s-982j-d3fr
5
vulnerability VCID-zyzb-95vu-bfbp
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.5
aliases CVE-2021-4005, GHSA-hjhp-hwfj-hwf3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pvmv-dy5p-pkbn
5
url VCID-t96s-982j-d3fr
vulnerability_id VCID-t96s-982j-d3fr
summary 
Incorrect Authorization
Improper Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-0298
reference_id
reference_type
scores
0
value 0.00165
scoring_system epss
scoring_elements 0.37295
published_at 2026-06-07T12:55:00Z
1
value 0.00165
scoring_system epss
scoring_elements 0.3723
published_at 2026-06-04T12:55:00Z
2
value 0.00165
scoring_system epss
scoring_elements 0.37322
published_at 2026-06-05T12:55:00Z
3
value 0.00165
scoring_system epss
scoring_elements 0.37327
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-0298
1
reference_url https://github.com/firefly-iii/firefly-iii
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii
2
reference_url https://github.com/firefly-iii/firefly-iii/commit/db0500dcf0d4f1990fc7a377ef0d56c3884fcaa4
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-07T18:41:12Z/
url https://github.com/firefly-iii/firefly-iii/commit/db0500dcf0d4f1990fc7a377ef0d56c3884fcaa4
3
reference_url https://huntr.dev/bounties/9689052c-c1d7-4aae-aa08-346c9b6e04ed
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-07T18:41:12Z/
url https://huntr.dev/bounties/9689052c-c1d7-4aae-aa08-346c9b6e04ed
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-0298
reference_id CVE-2023-0298
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-0298
5
reference_url https://github.com/advisories/GHSA-7mc4-jp4f-v2j2
reference_id GHSA-7mc4-jp4f-v2j2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7mc4-jp4f-v2j2
fixed_packages
0
url pkg:composer/grumpydictator/firefly-iii@5.8.0
purl pkg:composer/grumpydictator/firefly-iii@5.8.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xs8-eknt-gyap
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.8.0
aliases CVE-2023-0298, GHSA-7mc4-jp4f-v2j2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t96s-982j-d3fr
6
url VCID-vkg3-xm11-3qdh
vulnerability_id VCID-vkg3-xm11-3qdh
summary firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-4015
reference_id
reference_type
scores
0
value 0.00161
scoring_system epss
scoring_elements 0.36737
published_at 2026-06-04T12:55:00Z
1
value 0.00161
scoring_system epss
scoring_elements 0.36801
published_at 2026-06-07T12:55:00Z
2
value 0.00161
scoring_system epss
scoring_elements 0.36835
published_at 2026-06-06T12:55:00Z
3
value 0.00161
scoring_system epss
scoring_elements 0.36829
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-4015
1
reference_url https://github.com/firefly-iii/firefly-iii
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii
2
reference_url https://github.com/firefly-iii/firefly-iii/commit/518b4ba5a7a56760902758ae0a2c6a392c2f4d37
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii/commit/518b4ba5a7a56760902758ae0a2c6a392c2f4d37
3
reference_url https://github.com/firefly-iii/firefly-iii/releases/tag/5.6.5
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii/releases/tag/5.6.5
4
reference_url https://huntr.dev/bounties/b698d445-602d-4701-961c-dffe6d3009b1
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/b698d445-602d-4701-961c-dffe6d3009b1
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-4015
reference_id CVE-2021-4015
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-4015
6
reference_url https://github.com/advisories/GHSA-g6vq-wc8w-4g69
reference_id GHSA-g6vq-wc8w-4g69
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g6vq-wc8w-4g69
fixed_packages
0
url pkg:composer/grumpydictator/firefly-iii@5.6.4
purl pkg:composer/grumpydictator/firefly-iii@5.6.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xs8-eknt-gyap
1
vulnerability VCID-5as2-q475-7fgv
2
vulnerability VCID-6ydw-rfb3-hbe3
3
vulnerability VCID-jfps-wzcx-vyfj
4
vulnerability VCID-pvmv-dy5p-pkbn
5
vulnerability VCID-t96s-982j-d3fr
6
vulnerability VCID-zyzb-95vu-bfbp
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.4
1
url pkg:composer/grumpydictator/firefly-iii@5.6.5
purl pkg:composer/grumpydictator/firefly-iii@5.6.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xs8-eknt-gyap
1
vulnerability VCID-5as2-q475-7fgv
2
vulnerability VCID-6ydw-rfb3-hbe3
3
vulnerability VCID-jfps-wzcx-vyfj
4
vulnerability VCID-t96s-982j-d3fr
5
vulnerability VCID-zyzb-95vu-bfbp
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.5
aliases CVE-2021-4015, GHSA-g6vq-wc8w-4g69
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vkg3-xm11-3qdh
7
url VCID-zyzb-95vu-bfbp
vulnerability_id VCID-zyzb-95vu-bfbp
summary 
C5 Firefly III CSV Injection.
### Summary
CSV injection is a vulnerability where untrusted user input in CSV files can lead to unauthorized access or data manipulation. 
In my subsequent testing of the application.

### Details
I discovered that there is an option to "Export Data" from the web app to your personal computer, which exports a "csv" file that can be opened with Excel software that supports macros.

P.S 
I discovered that the web application's is offering a demo-site that anyone may access to play with the web application. So, there's a chance that someone will export the data (CVS) from the demo site and execute it on their PC, giving the malicious actor a complete control over their machine. (if a user enters a malicious payload to the website).

### PoC
You can check out my vulnerability report if you need more details/PoC with screenshots: (removed by JC5)

### Impact
An attacker can exploit this by entering a specially crafted payload to one of the fields, and when a user export the csv file using the "Export Data" function, the attacker can potentiality can RCE.

### Addendum by JC5, the developer of Firefly III
There is zero impact on normal users, even on vulnerable versions.
references
0
reference_url https://github.com/firefly-iii/firefly-iii
reference_id
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii
1
reference_url https://github.com/advisories/GHSA-29w6-c52g-m8jc
reference_id GHSA-29w6-c52g-m8jc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-29w6-c52g-m8jc
2
reference_url https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-29w6-c52g-m8jc
reference_id GHSA-29w6-c52g-m8jc
reference_type
scores
0
value 4.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-29w6-c52g-m8jc
fixed_packages
0
url pkg:composer/grumpydictator/firefly-iii@6.1.7
purl pkg:composer/grumpydictator/firefly-iii@6.1.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jfps-wzcx-vyfj
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@6.1.7
aliases GHSA-29w6-c52g-m8jc, GMS-2024-52
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zyzb-95vu-bfbp
Fixing_vulnerabilities
0
url VCID-f1nj-u7yz-zycr
vulnerability_id VCID-f1nj-u7yz-zycr
summary firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-3921
reference_id
reference_type
scores
0
value 0.00117
scoring_system epss
scoring_elements 0.30101
published_at 2026-06-04T12:55:00Z
1
value 0.00117
scoring_system epss
scoring_elements 0.30107
published_at 2026-06-07T12:55:00Z
2
value 0.00117
scoring_system epss
scoring_elements 0.30138
published_at 2026-06-06T12:55:00Z
3
value 0.00117
scoring_system epss
scoring_elements 0.30173
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-3921
1
reference_url https://github.com/firefly-iii/firefly-iii
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii
2
reference_url https://github.com/firefly-iii/firefly-iii/commit/47fa9e39561a9ec9e210e4023d090a7b33381684
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/firefly-iii/firefly-iii/commit/47fa9e39561a9ec9e210e4023d090a7b33381684
3
reference_url https://huntr.dev/bounties/724d3fd5-9f04-45c4-98d6-35a7d15468f5
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://huntr.dev/bounties/724d3fd5-9f04-45c4-98d6-35a7d15468f5
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-3921
reference_id CVE-2021-3921
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-3921
5
reference_url https://github.com/advisories/GHSA-q2cv-94xm-qvg4
reference_id GHSA-q2cv-94xm-qvg4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q2cv-94xm-qvg4
fixed_packages
0
url pkg:composer/grumpydictator/firefly-iii@5.6.3
purl pkg:composer/grumpydictator/firefly-iii@5.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xs8-eknt-gyap
1
vulnerability VCID-5as2-q475-7fgv
2
vulnerability VCID-6ydw-rfb3-hbe3
3
vulnerability VCID-jfps-wzcx-vyfj
4
vulnerability VCID-pvmv-dy5p-pkbn
5
vulnerability VCID-t96s-982j-d3fr
6
vulnerability VCID-vkg3-xm11-3qdh
7
vulnerability VCID-zyzb-95vu-bfbp
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.3
aliases CVE-2021-3921, GHSA-q2cv-94xm-qvg4
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f1nj-u7yz-zycr
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/grumpydictator/firefly-iii@5.6.3