CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14670
https://notcve.org/view.php?id=CVE-2019-14670
05 Aug 2019 — Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. The JavaScript code is executed during rule-from-bill creation. Firefly III versión 4.7.17.3, es vulnerable a una ataque de tipo XSS almacenado debido a la falta de filtración de datos suministrados por el usuario en el campo de nombre de factura. El código JavaScript es ejecutado durante la creación de la regla de factura. • https://github.com/firefly-iii/firefly-iii/commit/692b256f3f6d9eab992a72eb042844220b314054 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14671
https://notcve.org/view.php?id=CVE-2019-14671
05 Aug 2019 — Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and import/create/fints. Firefly III versión 4.7.17.3, es vulnerable a la enumeración de archivos locales. Un atacante puede enumerar archivos locales debido a la falta de saneamiento del esquema de protocolo, tal y como para las URL file:///. • https://github.com/firefly-iii/firefly-iii/commit/e80d616ef4397e6e764f6b7b7a5b30121244933c • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14672
https://notcve.org/view.php?id=CVE-2019-14672
05 Aug 2019 — Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the liability name field. The JavaScript code is executed upon an error condition during a visit to the account show page. Firefly III versión 4.7.17.5, es vulnerable a un ataque de tipo XSS almacenado debido a la falta de filtración de datos suministrados por el usuario en el campo de nombre de responsabilidad. El código JavaScript es ejecutado con una condición de error durante una visita a la página de... • https://github.com/firefly-iii/firefly-iii/commit/8717f469b10e9f7e1547c6f70f7d24e1359d28d4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-13647
https://notcve.org/view.php?id=CVE-2019-13647
18 Jul 2019 — Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability ** EN DISPUTA ** Firefly III anterior a versión 4.7.17.3, es vulnerable a un problema de tipo XSS almacenado debido a la falta de filtrado de los datos suministrados p... • https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-13646
https://notcve.org/view.php?id=CVE-2019-13646
18 Jul 2019 — Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability ** EN DISPUTA ** Firefly III anterior a versión 4.7.17.3, es vulnerable a un problema de tipo XSS reflejado debido a la falta de filtrado de los datos suministrados por el usuario en una consulta de búsqueda. NOTA: Se afirma que un atacante debe tener lo... • https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-13645
https://notcve.org/view.php?id=CVE-2019-13645
18 Jul 2019 — Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability ** EN DISPUTA ** Firefly III anterior a versión 4.7.17.3, es vulnerable a un problema de tipo XSS almacenado debido a la falta de filtrado de los datos suministrados por... • https://github.com/firefly-iii/firefly-iii/compare/a70b7cc...7d482aa • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-13644
https://notcve.org/view.php?id=CVE-2019-13644
18 Jul 2019 — Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability ** EN DISPUTA ** Firefly III anterior a versión 4.7.17.1, es vulnerable a XSS almacenado debido a la falta de filtrado de los datos suministrad... • https://github.com/firefly-iii/firefly-iii/compare/76aa8ac...45b8c36 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 12%CPEs: 1EXPL: 1CVE-2007-5824 – Firefly Media Server 0.2.4 - Remote Denial of Service
https://notcve.org/view.php?id=CVE-2007-5824
05 Nov 2007 — webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a stats method action to /xml-rpc with (1) an empty Authorization header line, which triggers a crash in the ws_decodepassword function; or (2) a header line without a ':' character, which triggers a crash in the ws_getheaders function. webserver.c en mt-dappd in Firefly Media Server 0.2.4 y anteriores permite a atacantes remotos provocar denegación d... • https://www.exploit-db.com/exploits/4600 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 0CVE-2007-5825
https://notcve.org/view.php?id=CVE-2007-5825
05 Nov 2007 — Format string vulnerability in the ws_addarg function in webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allows remote attackers to execute arbitrary code via a stats method action to /xml-rpc with format string specifiers in the (1) username or (2) password portion of base64-encoded data on the "Authorization: Basic" HTTP header line. Vulnerabilidad de formato de cadena en la función ws_addarg en webserver.c en mt-dappd en Firefly Media Server 0.2.4 y anteriores permite a atacantes remoto... • http://bugs.gentoo.org/show_bug.cgi?id=200110 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-2460
https://notcve.org/view.php?id=CVE-2007-2460
02 May 2007 — PHP remote file inclusion vulnerability in modules/admin/include/config.php in FireFly 1.1.01 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad de inclusión remota de archivo en PHP en modules/admin/include/config.php en FireFly 1.1.01 y anteriores permite a atacantes remotos ejecutar código PHP de su elección a través de ... • http://www.attrition.org/pipermail/vim/2007-May/001573.html •