CVE-2019-14667 - Vulnerability Details - OpenCVE

Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction action.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00307.

Key SSVC decision points have not yet been added.

Vendors	Products
Firefly-iii	Firefly Iii

Configuration 1 [-]

cpe:2.3:a:firefly-iii:firefly_iii:4.7.17.4:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2019-5824	Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction action.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/firefly-iii/firefly-iii/commit/15d4d185bbedf2bb9db4a8fa2ccf9fc359a06194
https://github.com/firefly-iii/firefly-iii/commit/427de0594d05a8222f55b2894311e648ba1be991
https://github.com/firefly-iii/firefly-iii/issues/2363

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-08-05T19:23:40

Updated: 2024-08-05T00:19:41.394Z

Reserved: 2019-08-05T00:00:00

Link: CVE-2019-14667

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-08-05T20:15:11.890

Modified: 2024-11-21T04:27:06.333

Link: CVE-2019-14667

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction action."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-05T19:23:40", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/firefly-iii/firefly-iii/issues/2363"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/firefly-iii/firefly-iii/commit/427de0594d05a8222f55b2894311e648ba1be991"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/firefly-iii/firefly-iii/commit/15d4d185bbedf2bb9db4a8fa2ccf9fc359a06194"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14667", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction action."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/firefly-iii/firefly-iii/issues/2363", "refsource": "MISC", "url": "https://github.com/firefly-iii/firefly-iii/issues/2363"}, {"name": "https://github.com/firefly-iii/firefly-iii/commit/427de0594d05a8222f55b2894311e648ba1be991", "refsource": "MISC", "url": "https://github.com/firefly-iii/firefly-iii/commit/427de0594d05a8222f55b2894311e648ba1be991"}, {"name": "https://github.com/firefly-iii/firefly-iii/commit/15d4d185bbedf2bb9db4a8fa2ccf9fc359a06194", "refsource": "MISC", "url": "https://github.com/firefly-iii/firefly-iii/commit/15d4d185bbedf2bb9db4a8fa2ccf9fc359a06194"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:19:41.394Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/firefly-iii/firefly-iii/issues/2363"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/firefly-iii/firefly-iii/commit/427de0594d05a8222f55b2894311e648ba1be991"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/firefly-iii/firefly-iii/commit/15d4d185bbedf2bb9db4a8fa2ccf9fc359a06194"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14667", "datePublished": "2019-08-05T19:23:40", "dateReserved": "2019-08-05T00:00:00", "dateUpdated": "2024-08-05T00:19:41.394Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:firefly-iii:firefly_iii:4.7.17.4:*:*:*:*:*:*:*", "matchCriteriaId": "7DE5F84A-E975-4C01-8B27-FFCE39F24EA9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due to the lack of filtration of user-supplied data in the transaction description field and the asset account name. The JavaScript code is executed during a convert transaction action."}, {"lang": "es", "value": "Firefly III 4.7.17.4, es vulnerable a m\u00faltiples problemas de XSS almacenado debido a la falta de filtraci\u00f3n de datos suministrados por el usuario en el campo de descripci\u00f3n de transacci\u00f3n y el nombre de cuenta del activo. El c\u00f3digo JavaScript es ejecutado durante una acci\u00f3n de transacci\u00f3n de conversi\u00f3n."}], "id": "CVE-2019-14667", "lastModified": "2024-11-21T04:27:06.333", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-05T20:15:11.890", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/firefly-iii/firefly-iii/commit/15d4d185bbedf2bb9db4a8fa2ccf9fc359a06194"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/firefly-iii/firefly-iii/commit/427de0594d05a8222f55b2894311e648ba1be991"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/firefly-iii/firefly-iii/issues/2363"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/firefly-iii/firefly-iii/commit/15d4d185bbedf2bb9db4a8fa2ccf9fc359a06194"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/firefly-iii/firefly-iii/commit/427de0594d05a8222f55b2894311e648ba1be991"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/firefly-iii/firefly-iii/issues/2363"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}