CVE-2019-14671: Improper Input Validation

September 8, 2021

Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and import/create/fints.

References

github.com/advisories/GHSA-jjcx-999m-35hc
github.com/firefly-iii/firefly-iii/commit/e80d616ef4397e6e764f6b7b7a5b30121244933c
github.com/firefly-iii/firefly-iii/issues/2367
nvd.nist.gov/vuln/detail/CVE-2019-14671

Detect and mitigate CVE-2019-14671 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →