Moderate severityNVD Advisory· Published Dec 4, 2021· Updated Aug 3, 2024

Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

CVE-2021-4005

Description

firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
grumpydictator/firefly-iiiPackagist	< 5.6.5	5.6.5

Affected products

Firefly Iii/Firefly Iii/firefly Iiiv5
Range: unspecified

Patches

03a1601bf343

Fix.

https://github.com/firefly-iii/firefly-iiiJames ColeNov 24, 2021via ghsa

commit

1 file changed · +5 −4

resources/views/v1/profile/index.twig+5 −4 modified

@@ -107,7 +107,7 @@
                     <div class="box box-default">
                         <div class="box-body">
                             <p class="text-info">{{ 'pref_two_factor_auth_help'|_ }}</p>
-                            {% if enabled2FA == false %}
+                            {% if enabled2FA == true %}
                                 <p class="text-info">
                                     {{ trans_choice('firefly.pref_two_factor_backup_code_count', mfaBackupCount) }}
                                 </p>
@@ -116,10 +116,11 @@
                                     <a class="btn btn-info" href="{{ route('profile.code') }}">
                                         <span class="fa fa-recycle"></span>
                                         {{ 'pref_two_factor_auth_reset_code'|_ }}</a>
-                                    <a class="btn btn-danger" href="{{ route('profile.delete-code') }}">
-                                        <span class="fa fa-trash"></span>
-                                        {{ 'pref_two_factor_auth_disable_2fa'|_ }}</a>
                                 </div>
+                                <form method="post" action="{{ route('profile.delete-code') }}">
+                                    <input type="hidden" name="_token" value="{{ csrf_token() }}" />
+                                    <input class="btn btn-danger" style="margin-top:20px;" type="submit" name="submit" value="{{ 'pref_two_factor_auth_disable_2fa'|_ }}" />
+                                </form>
                                 <form method="post" action="{{ route('profile.new-backup-codes') }}">
                                     <input type="hidden" name="_token" value="{{ csrf_token() }}" />
                                     <input class="btn btn-default" style="margin-top:20px;" type="submit" name="submit" value="{{ 'pref_two_factor_new_backup_codes'|_ }}" />

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hjhp-hwfj-hwf3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-4005ghsaADVISORY
github.com/firefly-iii/firefly-iii/commit/03a1601bf343181df9f405dd2109aec483cb7053ghsax_refsource_MISCWEB
huntr.dev/bounties/bf4ef581-325a-492d-a710-14fcb53f00ffghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000