Moderate severityNVD Advisory· Published Aug 23, 2021· Updated Aug 3, 2024

Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

CVE-2021-3728

Description

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
grumpydictator/firefly-iiiPackagist	< 5.6.0	5.6.0

Affected products

Firefly Iii/Firefly Iii/firefly Iiiv5
Range: unspecified

Patches

14cdce113e0e

Fix vulnerability https://huntr.dev/bounties/dd54c5a1-0d4a-4f02-a111-7ce4ddc67a4d/

https://github.com/firefly-iii/firefly-iiiJames ColeAug 20, 2021via ghsa

commit

3 files changed · +13 −5

public/v1/js/ff/budgets/index.js+7 −2 modified

@@ -133,7 +133,7 @@ function updateTotalBudgetedAmount(currencyId) {
         });
 
     // get new amount:
-    $.get(totalBudgetedUri.replace('REPLACEME',currencyId)).done(function (data) {
+    $.get(totalBudgetedUri.replace('REPLACEME', currencyId)).done(function (data) {
         // set thing:
         $('span.budgeted_amount[data-currency="' + currencyId + '"]')
             .html(data.budgeted_formatted)
@@ -207,9 +207,14 @@ function createBudgetLimit(e) {
 }
 
 function deleteBudgetLimit(e) {
+    e.preventDefault();
     var button = $(e.currentTarget);
     var budgetLimitId = button.data('budget-limit-id');
-    var url = deleteBudgetLimitUrl.replace('REPLACEME', budgetId.toString();
+    var url = deleteBudgetLimitUrl.replace('REPLACEME', budgetLimitId.toString());
+    $.post(url, {_token: token}).then(function () {
+        $('.bl_entry[data-budget-limit-id="' + budgetLimitId + '"]').remove();
+        
+    });
     return false;
 }

resources/views/v1/budgets/index.twig+5 −2 modified

@@ -285,7 +285,7 @@
                                                         {{ trans('firefly.budget_limit_not_in_range', {start: budgetLimit.start_date, end: budgetLimit.end_date}) }}
                                                     </small><br>
                                                 {% endif %}
-                                                <div class="input-group">
+                                                <div class="input-group bl_entry" data-budget-limit-id="{{ budgetLimit.id }}">
                                                     <div class="input-group-addon">{{ budgetLimit.currency_symbol }}</div>
                                                     <input class="form-control budget_amount" data-original="{{ budgetLimit.amount }}"
                                                         data-id="{{ budget.id }}" data-limit="{{ budgetLimit.id }}" value="{{ budgetLimit.amount }}"
@@ -295,7 +295,9 @@
                                                         <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown" aria-haspopup="true"
                                                                 aria-expanded="false"><span class="caret"></span></button>
                                                         <ul class="dropdown-menu">
-                                                            <li><a href="{{ route('budget-limits.delete', [budgetLimit.id]) }}">{{ trans('firefly.remove_budgeted_amount', {currency: budgetLimit.currency_name }) }}</a></li>
+                                                            <li>
+                                                                <a class="delete_bl" href="#" data-budget-limit-id="{{ budgetLimit.id }}">{{ trans('firefly.remove_budgeted_amount', {currency: budgetLimit.currency_name }) }}</a>
+                                                            </li>
                                                         </ul>
                                                     </div>
                                                 </div>
@@ -468,6 +470,7 @@
         var createBudgetLimitUri = "{{ route('budget-limits.create', ['REPLACEME', start.format('Y-m-d'), end.format('Y-m-d')]) }}";
         var storeBudgetLimitUri = "{{ route('budget-limits.store') }}";
         var updateBudgetLimitUri = "{{ route('budget-limits.update', ['REPLACEME']) }}";
+        var deleteBudgetLimitUrl = "{{ route('budget-limits.delete', ['REPLACEME']) }}";
         var totalBudgetedUri = "{{ route('json.budget.total-budgeted', ['REPLACEME', start.format('Y-m-d'), end.format('Y-m-d')]) }}";
 
         // period thing:

routes/web.php+1 −1 modified

@@ -282,7 +282,7 @@ static function () {
         Route::get('create/{budget}/{start_date}/{end_date}', ['uses' => 'Budget\BudgetLimitController@create', 'as' => 'create']);
         Route::post('store', ['uses' => 'Budget\BudgetLimitController@store', 'as' => 'store']);
 
-        Route::get('delete/{budgetLimit}', ['uses' => 'Budget\BudgetLimitController@delete', 'as' => 'delete']);
+        Route::post('delete/{budgetLimit}', ['uses' => 'Budget\BudgetLimitController@delete', 'as' => 'delete']);
 
         Route::post('update/{budgetLimit}', ['uses' => 'Budget\BudgetLimitController@update', 'as' => 'update']);
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xp5q-77mh-6hm2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-3728ghsaADVISORY
github.com/firefly-iii/firefly-iii/commit/14cdce113e0eb8090d09066fcd2b5cf03b5ac84eghsax_refsource_MISCWEB
huntr.dev/bounties/dd54c5a1-0d4a-4f02-a111-7ce4ddc67a4dghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000