New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored XSS in budget name #2335
Comments
|
Thanks, nice find. I'll verify and push an update as soon as I can. You're mixing up tags and budgets by the way, is this correct? |
|
Sorry, I see what you mean. |
|
I have pushed 4.7.17.1 that should fix the bug and a similar one in category names. The docker builds are running now. In my haste, I completely forgot to credit you which I will do in my release post and on reddit, after you confirm the issue is gone. I've reopened the issue as GitHub has automatically closed it. |
I check commit - 45ddb64 and see only changes to versions in some files and change titles in other. But anyway i got source code from https://github.com/firefly-iii/firefly-iii/releases/tag/4.7.17.1 and install it for checking. Vulnerability still exist I uploaded the video to the dropbox - (https://www.dropbox.com/s/gdr87bh4pat5ly5/xss_2.mov?dl=0) |
|
You're right. I am an idiot. I pushed the correct fix in 4.7.17.2. Can you confirm? |
Confirm, i cannot reproduce XSS Thank you for such quick fix and for this wonderful budget app. |
|
No problem, please do. You know where to find me! |
Description
Current version of Firefly III Version 4.7.17 is vulnerable to stored XSS due to lack of filtration of user-supplied data in budget name. Malicious attacker can create specially crafted link, which contains javascript code and assign it to budget name. User who add transactions with malicious budget, can view page with that transaction on tag summary page (http://firefly.host/tags/show/$tag_number$), malicious javascript code will be executed.
Steps to reproduce
I create a small video for reproduce steps
XSS Steps.zip
PoC
The text was updated successfully, but these errors were encountered: