CVE-2019-13647

MEDIUM5.4EPSS 0.21%

Firefly III vulnerable to image-based stored XSS

Published: 5/24/2022Modified: 2/16/2024

Description

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing.

Affected packages (1)

Packagist/grumpydictator/firefly-iiifrom 0, < 4.7.17.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-13647
WEBhttps://github.com/firefly-iii/firefly-iii/commit/531161db0902154fed433bb33bdb2cabd61ae6dc
WEBhttps://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa
WEBhttps://github.com/firefly-iii/firefly-iii/issues/2338