CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37893 – MFA bypass in oauth flow in Firefly III
https://notcve.org/view.php?id=CVE-2024-37893
Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. • https://github.com/firefly-iii/firefly-iii/security/advisories/GHSA-4gm4-c4mh-4p7w https://owasp.org/www-community/attacks/Password_Spraying_Attack https://www.menlosecurity.com/what-is/highly-evasive-adaptive-threats-heat/mfa-bypass • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22075
https://notcve.org/view.php?id=CVE-2024-22075
Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection. Firefly III (aka firefly-iii) anterior a 6.1.1 permite la inyección HTML de webhooks. • https://github.com/firefly-iii/firefly-iii/releases/tag/v6.1.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-1788 – Insufficient Session Expiration in firefly-iii/firefly-iii
https://notcve.org/view.php?id=CVE-2023-1788
Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6. • https://github.com/firefly-iii/firefly-iii/commit/68f398f97cbe1870fc098d8460bf903b9c3fab30 https://huntr.dev/bounties/79323c9e-e0e5-48ef-bd19-d0b09587ccb2 • CWE-613: Insufficient Session Expiration •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-1789 – Improper Input Validation in firefly-iii/firefly-iii
https://notcve.org/view.php?id=CVE-2023-1789
Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0. • https://github.com/firefly-iii/firefly-iii/commit/6b05c0fbd3e8c40ae9b24dc2698821786fccf0c5 https://huntr.dev/bounties/2c3489f7-6b84-48f8-9368-9cea67cf373d • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0298 – Incorrect Authorization in firefly-iii/firefly-iii
https://notcve.org/view.php?id=CVE-2023-0298
Incorrect Authorization in GitHub repository firefly-iii/firefly-iii prior to 5.8.0. • https://github.com/firefly-iii/firefly-iii/commit/db0500dcf0d4f1990fc7a377ef0d56c3884fcaa4 https://huntr.dev/bounties/9689052c-c1d7-4aae-aa08-346c9b6e04ed • CWE-863: Incorrect Authorization •