CVE-2019-14671
Description
Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attacker can enumerate local files due to the lack of protocol scheme sanitization, such as for file:/// URLs. This is related to fints_url to import/job/configuration, and import/create/fints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Firefly III 4.7.17.3 allows local file enumeration via unvalidated fints_url parameter supporting file:/// scheme, enabling attackers to probe for filesystem paths.
Firefly III version 4.7.17.3 contains a local file enumeration vulnerability in the import functionality related to FinTS configuration. The application fails to sanitize the protocol scheme in the fints_url parameter, allowing URLs using the file:/// scheme to be processed [1]. This root cause is the lack of validation against potentially dangerous URI schemes before passing the value to libcurl for connection [2].
An unauthenticated or low-privileged attacker can exploit this by sending a POST request to /import/job/configuration/[token] with the fints_url parameter set to a file:/// URL [2]. The attacker does not need valid bank credentials; the redirect and error messages reveal whether a specified local file exists. By comparing error messages when a file exists versus when it does not, an attacker can perform a filesystem presence test [2].
The impact is the ability to enumerate local files and directories on the server. An attacker can brute-force file paths and determine the existence of sensitive files, such as /etc/passwd, thereby gathering information about the system's file structure [2]. This does not provide direct file content retrieval but leaks existence clues that can aid further attacks.
The issue was fixed in a subsequent commit that introduced a validURI function, which restricts the fints_url to only accept the https scheme [3]. Users are advised to update to a patched version of Firefly III. No evidence indicates this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
grumpydictator/firefly-iiiPackagist | < 4.7.17.4 | 4.7.17.4 |
Affected products
2- Firefly III/Firefly IIIdescription
Patches
11 file changed · +20 −0
app/Support/Import/JobConfiguration/FinTS/NewFinTSJobHandler.php+20 −0 modified@@ -60,6 +60,9 @@ public function configureJob(array $data): MessageBag $config['fints_password'] = (string)(Crypt::encrypt($data['fints_password']) ?? ''); $config['apply-rules'] = 1 === (int)$data['apply_rules']; + // sanitize FinTS URL. + $config['fints_url'] = $this->validURI($config['fints_url']) ? $config['fints_url'] : ''; + $this->repository->setConfiguration($this->importJob, $config); @@ -108,4 +111,21 @@ public function setImportJob(ImportJob $importJob): void $this->repository->setUser($importJob->user); } + /** + * @param string $fints_url + * + * @return bool + */ + private function validURI(string $fintsUri): bool + { + $res = filter_var($fintsUri, FILTER_VALIDATE_URL); + if (false === $res) { + return false; + } + $scheme = parse_url($fintsUri, PHP_URL_SCHEME); + + return 'https' === $scheme; + } + + }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-jjcx-999m-35hcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-14671ghsaADVISORY
- github.com/firefly-iii/firefly-iii/commit/e80d616ef4397e6e764f6b7b7a5b30121244933cghsax_refsource_MISCWEB
- github.com/firefly-iii/firefly-iii/issues/2367ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.