Low severityNVD Advisory· Published Oct 27, 2021· Updated Aug 3, 2024

Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

CVE-2021-3901

Description

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
grumpydictator/firefly-iiiPackagist	<= 5.6.2	—

Affected products

Firefly Iii/Firefly Iii/firefly Iiiv5
Range: unspecified

Patches

b42d8d1e305c

Fix rescan

https://github.com/firefly-iii/firefly-iiiJames ColeOct 24, 2021via ghsa

commit

2 files changed · +8 −2

resources/views/v1/bills/show.twig+7 −1 modified

@@ -96,7 +96,13 @@
                     {% endif %}
                 </div>
                 <div class="box-footer">
-                    <p><a id="billButtons" href="{{ route('bills.rescan',object.data.id) }}" class="btn btn-default">{{ 'rescan_old'|_ }}</a></p>
+                    <form action="{{ route('bills.rescan',object.data.id) }}" method="post">
+                        <input type="hidden" name="_token" value="{{ csrf_token() }}"/>
+                        <p>
+                            <input type="submit" name="submit" value="{{ 'rescan_old'|_ }}" class="btn btn-default" />
+                        </p>
+                    </form>
+
                     <p><small class="text-muted">
                             {{ 'running_again_loss'|_ }}
                         </small>

routes/web.php+1 −1 modified

@@ -195,7 +195,7 @@ static function () {
     ['middleware' => 'user-full-auth', 'namespace' => 'FireflyIII\Http\Controllers', 'prefix' => 'bills', 'as' => 'bills.'],
     static function () {
         Route::get('', ['uses' => 'Bill\IndexController@index', 'as' => 'index']);
-        Route::get('rescan/{bill}', ['uses' => 'Bill\ShowController@rescan', 'as' => 'rescan']);
+        Route::post('rescan/{bill}', ['uses' => 'Bill\ShowController@rescan', 'as' => 'rescan']);
         Route::get('create', ['uses' => 'Bill\CreateController@create', 'as' => 'create']);
         Route::get('edit/{bill}', ['uses' => 'Bill\EditController@edit', 'as' => 'edit']);
         Route::get('delete/{bill}', ['uses' => 'Bill\DeleteController@delete', 'as' => 'delete']);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rqgp-ccph-5w65ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-3901ghsaADVISORY
github.com/firefly-iii/firefly-iii/commit/b42d8d1e305cad70d9b83b33cd8e0d7a4b2060c2ghsax_refsource_MISCWEB
huntr.dev/bounties/62508fdc-c26b-4312-bf75-fd3a3f997464ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000