VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 18, 2019· Updated Aug 4, 2024

CVE-2019-13645

CVE-2019-13645

Description

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing. NOTE: It is asserted that an attacker must have the same access rights as the user in order to be able to execute the vulnerability

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Firefly III before 4.7.17.3 has stored XSS via unsanitized image file names, executed when editing attachments.

Vulnerability

Details

Firefly III versions prior to 4.7.17.3 are vulnerable to stored cross-site scripting (XSS) because user-supplied data in image file names is not properly filtered [1]. The malicious JavaScript payload is stored and later executed on the attachments/edit/$file_id$ page when a user edits an attachment [3].

Exploitation

An attacker can upload a specially crafted image file containing JavaScript in its file name. For example, a filename such as `` will cause the script to execute. The file name can be manipulated on a Linux system or by intercepting and modifying the multipart upload request using a local proxy like Burp Suite [3]. The attacker must have the same access rights as the victim user to perform the upload [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to data theft, session hijacking, or other malicious actions within the Firefly III application, compromising the integrity and confidentiality of user financial data.

Mitigation

The vulnerability has been fixed in Firefly III version 4.7.17.3 [1][4]. Users should upgrade to this version or later. There are no known workarounds. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of this analysis.

References
  1. NVD - CVE-2019-13645
  2. Stored XSS in filename
  3. Comparing a70b7cc...7d482aa · firefly-iii/firefly-iii

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
grumpydictator/firefly-iiiPackagist
< 4.7.17.34.7.17.3

Affected products

2

Patches

1
17a66b305609

Fixes #2337

https://github.com/firefly-iii/firefly-iiiJames ColeJul 16, 2019via ghsa
commit
1 file changed · +2 2
  • resources/views/v1/attachments/edit.twig+2 2 modified
    @@ -18,8 +18,8 @@
                         <h3 class="box-title">{{ 'mandatoryFields'|_ }}</h3>
                     </div>
                     <div class="box-body">
-                        {{ ExpandedForm.staticText('filename',attachment.filename) }}
-                        {{ ExpandedForm.staticText('mime',attachment.mime) }}
+                        {{ ExpandedForm.staticText('filename',attachment.filename|escape) }}
+                        {{ ExpandedForm.staticText('mime',attachment.mime|escape) }}
                         {{ ExpandedForm.staticText('size',attachment.size|filesize) }}
                     </div>
                 </div>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.