Moderate severityNVD Advisory· Published Dec 1, 2021· Updated Aug 3, 2024
Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii
CVE-2021-4015
Description
firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF)
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
grumpydictator/firefly-iiiPackagist | < 5.6.5 | 5.6.5 |
Affected products
1- Range: unspecified
Patches
11 file changed · +6 −5
routes/web.php+6 −5 modified@@ -213,7 +213,7 @@ static function () { ['middleware' => 'user-full-auth', 'namespace' => 'FireflyIII\Http\Controllers', 'prefix' => 'subscriptions', 'as' => 'subscriptions.'], static function () { Route::get('', ['uses' => 'Bill\IndexController@index', 'as' => 'index']); - Route::get('rescan/{bill}', ['uses' => 'Bill\ShowController@rescan', 'as' => 'rescan']); + Route::post('rescan/{bill}', ['uses' => 'Bill\ShowController@rescan', 'as' => 'rescan']); Route::get('create', ['uses' => 'Bill\CreateController@create', 'as' => 'create']); Route::get('edit/{bill}', ['uses' => 'Bill\EditController@edit', 'as' => 'edit']); Route::get('delete/{bill}', ['uses' => 'Bill\DeleteController@delete', 'as' => 'delete']); @@ -649,7 +649,7 @@ static function () { Route::get('rate/{fromCurrencyCode}/{toCurrencyCode}/{date}', ['uses' => 'Json\ExchangeController@getRate', 'as' => 'rate']); // intro things: - Route::any('intro/finished/{route}/{specificPage?}', ['uses' => 'Json\IntroController@postFinished', 'as' => 'intro.finished']); + Route::post('intro/finished/{route}/{specificPage?}', ['uses' => 'Json\IntroController@postFinished', 'as' => 'intro.finished']); Route::post('intro/enable/{route}/{specificPage?}', ['uses' => 'Json\IntroController@postEnable', 'as' => 'intro.enable']); Route::get('intro/{route}/{specificPage?}', ['uses' => 'Json\IntroController@getIntroSteps', 'as' => 'intro']); } @@ -726,14 +726,15 @@ static function () { Route::post('enable2FA', ['uses' => 'ProfileController@enable2FA', 'as' => 'enable2FA']); Route::get('2fa/code', ['uses' => 'ProfileController@code', 'as' => 'code']); Route::post('2fa/code', ['uses' => 'ProfileController@postCode', 'as' => 'code.store']); - Route::get('/delete-code', ['uses' => 'ProfileController@deleteCode', 'as' => 'delete-code']); - Route::get('2fa/new-codes', ['uses' => 'ProfileController@newBackupCodes', 'as' => 'new-backup-codes']); + Route::post('/delete-code', ['uses' => 'ProfileController@deleteCode', 'as' => 'delete-code']); + Route::post('2fa/new-codes', ['uses' => 'ProfileController@newBackupCodes', 'as' => 'new-backup-codes']); } ); /** * Recurring Transactions Controller. + * */ Route::group( ['middleware' => 'user-full-auth', 'namespace' => 'FireflyIII\Http\Controllers', 'prefix' => 'recurring', 'as' => 'recurring.'], @@ -1078,7 +1079,7 @@ static function () { // See reference nr. 6 Route::post('store/{tj}', ['uses' => 'LinkController@store', 'as' => 'store']); Route::get('delete/{journalLink}', ['uses' => 'LinkController@delete', 'as' => 'delete']); - Route::get('switch/{journalLink}', ['uses' => 'LinkController@switchLink', 'as' => 'switch']); + Route::post('switch/{journalLink}', ['uses' => 'LinkController@switchLink', 'as' => 'switch']); Route::post('destroy/{journalLink}', ['uses' => 'LinkController@destroy', 'as' => 'destroy']); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g6vq-wc8w-4g69ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4015ghsaADVISORY
- github.com/firefly-iii/firefly-iii/commit/518b4ba5a7a56760902758ae0a2c6a392c2f4d37ghsax_refsource_MISCWEB
- github.com/firefly-iii/firefly-iii/releases/tag/5.6.5ghsaWEB
- huntr.dev/bounties/b698d445-602d-4701-961c-dffe6d3009b1ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.