Moderate severityNVD Advisory· Published Aug 23, 2021· Updated Aug 3, 2024
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
CVE-2021-3730
Description
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
grumpydictator/firefly-iiiPackagist | < 5.6.0 | 5.6.0 |
Affected products
1- Range: unspecified
Patches
1f80178b1b2b7Fix https://huntr.dev/bounties/ea181323-51f8-46a2-a60f-6a401907feb7/
7 files changed · +43 −139
app/Http/Controllers/Budget/AvailableBudgetController.php+9 −3 modified@@ -137,10 +137,16 @@ static function (TransactionCurrency $currency) use ($availableBudgets) { * * @return RedirectResponse|Redirector */ - public function delete(AvailableBudget $availableBudget) + public function delete(Request $request) { - $this->abRepository->destroyAvailableBudget($availableBudget); - session()->flash('success', trans('firefly.deleted_ab')); + $id = (int)$request->get('id'); + if (0 !== $id) { + $availableBudget = $this->abRepository->findById($id); + if (null !== $availableBudget) { + $this->abRepository->destroyAvailableBudget($availableBudget); + session()->flash('success', trans('firefly.deleted_ab')); + } + } return redirect(route('budgets.index')); }
app/Repositories/Budget/AvailableBudgetRepositoryInterface.php+7 −0 modified@@ -56,6 +56,13 @@ public function destroyAvailableBudget(AvailableBudget $availableBudget): void; */ public function find(TransactionCurrency $currency, Carbon $start, Carbon $end): ?AvailableBudget; + /** + * @param int $id + * + * @return AvailableBudget|null + */ + public function findById(int $id): ?AvailableBudget; + /** * Return a list of all available budgets (in all currencies) (for the selected period). *
app/Repositories/Budget/AvailableBudgetRepository.php+8 −0 modified@@ -79,6 +79,14 @@ public function find(TransactionCurrency $currency, Carbon $start, Carbon $end): } + /** + * @inheritDoc + */ + public function findById(int $id): ?AvailableBudget + { + return $this->user->availableBudgets->find($id); + } + /** * Return a list of all available budgets (in all currencies) (for the selected period). *
app/Repositories/Budget/BudgetLimitRepository.php+4 −2 modified@@ -22,6 +22,7 @@ declare(strict_types=1); namespace FireflyIII\Repositories\Budget; + use Carbon\Carbon; use Exception; use FireflyIII\Exceptions\FireflyException; @@ -319,7 +320,7 @@ public function store(array $data): BudgetLimit // find the budget: $budget = $this->user->budgets()->find((int)$data['budget_id']); if (null === $budget) { - throw new FireflyException('200004: Budget does not exist.'); + throw new FireflyException('200004: Budget does not exist.'); } // find limit with same date range and currency. @@ -329,7 +330,7 @@ public function store(array $data): BudgetLimit ->where('budget_limits.transaction_currency_id', $currency->id) ->first(['budget_limits.*']); if (null !== $limit) { - throw new FireflyException('200027: Budget limit already exists.'); + throw new FireflyException('200027: Budget limit already exists.'); } Log::debug('No existing budget limit, create a new one'); @@ -425,6 +426,7 @@ public function updateLimitAmount(Budget $budget, Carbon $start, Carbon $end, st } catch (Exception $e) { // @phpstan-ignore-line // @ignoreException } + return null; } // update if exists:
public/v1/js/ff/budgets/index.js+12 −131 modified@@ -30,6 +30,7 @@ $(function () { drawBudgetedBars(); $('.update_ab').on('click', updateAvailableBudget); + $('.delete_ab').on('click', deleteAvailableBudget); $('.create_ab_alt').on('click', createAltAvailableBudget); $('.budget_amount').on('change', updateBudgetedAmount); @@ -241,7 +242,17 @@ function updateAvailableBudget(e) { } return false; } - +function deleteAvailableBudget(e) { + // + e.preventDefault(); + var button = $(e.currentTarget); + var abId = button.data('id'); + $.post(deleteABUrl, {_token: token, id: abId}).then(function () { + // lame but it works. + location.reload(); + }); + return false; +} function drawBudgetedBars() { "use strict"; @@ -288,133 +299,3 @@ function drawSpentBars() { } }); } - -// -// -// function drawSpentBar() { -// "use strict"; -// if ($('.spentBar').length > 0) { -// var overspent = spent > budgeted; -// var pct; -// -// if (overspent) { -// // draw overspent bar -// pct = (budgeted / spent) * 100; -// $('.spentBar .progress-bar-warning').css('width', pct + '%'); -// $('.spentBar .progress-bar-danger').css('width', (100 - pct) + '%'); -// } else { -// // draw normal bar: -// pct = (spent / budgeted) * 100; -// $('.spentBar .progress-bar-info').css('width', pct + '%'); -// } -// } -// } -// -// function drawBudgetedBar() { -// "use strict"; -// -// if ($('.budgetedBar').length > 0) { -// var budgetedMuch = budgeted > available; -// -// // recalculate percentage: -// -// var pct; -// if (budgetedMuch) { -// // budgeted too much. -// pct = (available / budgeted) * 100; -// $('.budgetedBar .progress-bar-warning').css('width', pct + '%'); -// $('.budgetedBar .progress-bar-danger').css('width', (100 - pct) + '%'); -// $('.budgetedBar .progress-bar-info').css('width', 0); -// } else { -// pct = (budgeted / available) * 100; -// $('.budgetedBar .progress-bar-warning').css('width', 0); -// $('.budgetedBar .progress-bar-danger').css('width', 0); -// $('.budgetedBar .progress-bar-info').css('width', pct + '%'); -// } -// -// $('#budgetedAmount').html(currencySymbol + ' ' + budgeted.toFixed(2)); -// } -// } - -// /** -// * -// * @param e -// */ -// function updateBudgetedAmounts(e) { -// "use strict"; -// var target = $(e.target); -// var id = target.data('id'); -// var leftCell = $('td[class$="left"][data-id="' + id + '"]'); -// var link = $('a[data-id="' + id + '"][class="budget-link"]'); -// var value = target.val(); -// var original = target.data('original'); -// -// // disable input -// target.prop('disabled', true); -// -// // replace link (for now) -// link.attr('href', '#'); -// -// // replace "left" with spinner. -// leftCell.empty().html('<i class="fa fa-fw fa-spin fa-spinner"></i>'); -// -// // send a post to Firefly to update the amount: -// var newUri = budgetAmountUri.replace("REPLACE", id); -// -// $.post(newUri, {amount: value, start: periodStart, end: periodEnd, _token: token}).done(function (data) { -// -// // difference between new value and original value -// var difference = value - original; -// -// // update budgeted value -// budgeted = budgeted + difference; -// -// // fill in "left" value: -// -// -// if (data.left_per_day !== null) { -// leftCell.html(data.left + ' (' + data.left_per_day + ')'); -// } else { -// leftCell.html(data.left); -// } -// -// // update "budgeted" input: -// target.val(data.amount); -// -// // enable thing again -// target.prop('disabled', false); -// -// // set new original value: -// target.data('original', data.amount); -// -// // run drawBudgetedBar() again: -// drawBudgetedBar(); -// -// // update the link if relevant: -// link.attr('href', 'budgets/show/' + id); -// if (data.limit > 0) { -// link.attr('href', 'budgets/show/' + id + '/' + data.limit); -// } -// -// // update the warning if relevant: -// if (data.large_diff === true) { -// $('span[class$="budget_warning"][data-id="' + id + '"]').html(data.warn_text).show(); -// console.log('Show warning for budget'); -// } else { -// $('span[class$="budget_warning"][data-id="' + id + '"]').empty().hide(); -// } -// }); -// } - -// /** -// * -// * @returns {boolean} -// */ -// function updateIncome() { -// "use strict"; -// $('#defaultModal').empty().load(updateIncomeUri, function () { -// $('#defaultModal').modal('show'); -// }); -// -// return false; -// }
resources/views/v1/budgets/index.twig+2 −2 modified@@ -137,8 +137,7 @@ <span class="available_amount" data-id="{{ budget.id }}" data-value="{{ budget.amount }}">{{ formatAmountBySymbol(budget.amount, budget.transaction_currency.symbol, budget.transaction_currency.decimal_places, true) }}</span> <a href="#" data-id="{{ budget.id }}" class="update_ab btn btn-default btn-xs"><span class="fa fa-pencil"></span></a> - <a href="{{ route('available-budgets.delete', [budget.id]) }}" data-id="{{ budget.id }}" - class="delete_ab btn btn-danger btn-xs"><span class="fa fa-trash"></span></a> + <a href="#" data-id="{{ budget.id }}" class="delete_ab btn btn-danger btn-xs"><span class="fa fa-trash"></span></a> </small> </div> </div> @@ -465,6 +464,7 @@ var createAvailableBudgetUri = "{{ route('available-budgets.create', [start.format('Y-m-d'), end.format('Y-m-d')]) }}"; var createAltAvailableBudgetUri = "{{ route('available-budgets.create-alternative', [start.format('Y-m-d'), end.format('Y-m-d')]) }}"; var editAvailableBudgetUri = "{{ route('available-budgets.edit', ['REPLACEME', start.format('Y-m-d'), end.format('Y-m-d')]) }}"; + var deleteABUrl = "{{ route('available-budgets.delete') }}"; // budget limit create form. var createBudgetLimitUri = "{{ route('budget-limits.create', ['REPLACEME', start.format('Y-m-d'), end.format('Y-m-d')]) }}";
routes/web.php+1 −1 modified@@ -269,7 +269,7 @@ static function () { Route::get('edit/{availableBudget}/{start_date}/{end_date}', ['uses' => 'Budget\AvailableBudgetController@edit', 'as' => 'edit']); Route::post('update/{availableBudget}/{start_date}/{end_date}', ['uses' => 'Budget\AvailableBudgetController@update', 'as' => 'update']); - Route::get('delete/{availableBudget}', ['uses' => 'Budget\AvailableBudgetController@delete', 'as' => 'delete']); + Route::post('delete', ['uses' => 'Budget\AvailableBudgetController@delete', 'as' => 'delete']); } );
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c676-mcw3-qg55ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3730ghsaADVISORY
- github.com/firefly-iii/firefly-iii/commit/f80178b1b2b7864d17500a131d570c353c9a26f6ghsax_refsource_MISCWEB
- huntr.dev/bounties/ea181323-51f8-46a2-a60f-6a401907feb7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.