Moderate severityNVD Advisory· Published Apr 5, 2023· Updated Feb 10, 2025

Insufficient Session Expiration in firefly-iii/firefly-iii

CVE-2023-1788

Description

Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
grumpydictator/firefly-iiiPackagist	< 6.0.0	6.0.0

Affected products

Firefly Iii/Firefly Iii/firefly Iiiv5
Range: unspecified

Patches

68f398f97cbe

Merge pull request #7062 from firefly-iii/JC5-patch-1

https://github.com/firefly-iii/firefly-iiiJames ColeFeb 20, 2023via ghsa

commit

1 file changed · +1 −1

config/session.php+1 −1 modified

@@ -24,7 +24,7 @@
 return [
     'driver'          => env('SESSION_DRIVER', 'file'),
     'lifetime'        => 120,
-    'expire_on_close' => false,
+    'expire_on_close' => true,
     'encrypt'         => true,
     'files'           => storage_path('framework/sessions'),
     'connection'      => null,

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h7vv-46p5-prmhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-1788ghsaADVISORY
github.com/firefly-iii/firefly-iii/commit/68f398f97cbe1870fc098d8460bf903b9c3fab30ghsaWEB
huntr.dev/bounties/79323c9e-e0e5-48ef-bd19-d0b09587ccb2ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000