Moderate severityNVD Advisory· Published Apr 1, 2023· Updated Feb 11, 2025
Improper Input Validation in firefly-iii/firefly-iii
CVE-2023-1789
Description
Improper Input Validation in GitHub repository firefly-iii/firefly-iii prior to 6.0.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
grumpydictator/firefly-iiiPackagist | < 6.0.0 | 6.0.0 |
Affected products
1- Range: unspecified
Patches
16b05c0fbd3e8Merge pull request #7043 from firefly-iii/fix-bad-escape
2 files changed · +11 −6
app/Factory/TransactionCurrencyFactory.php+6 −1 modified@@ -41,6 +41,11 @@ class TransactionCurrencyFactory */ public function create(array $data): TransactionCurrency { + $data['code'] = e($data['code']); + $data['symbol'] = e($data['symbol']); + $data['name'] = e($data['name']); + $data['decimal_places'] = (int)$data['decimal_places']; + $data['enabled'] = (bool)$data['enabled']; // if the code already exists (deleted) // force delete it and then create the transaction: $count = TransactionCurrency::withTrashed()->whereCode($data['code'])->count(); @@ -78,7 +83,7 @@ public function create(array $data): TransactionCurrency */ public function find(?int $currencyId, ?string $currencyCode): ?TransactionCurrency { - $currencyCode = (string)$currencyCode; + $currencyCode = (string)e($currencyCode); $currencyId = (int)$currencyId; if ('' === $currencyCode && 0 === $currencyId) {
app/Services/Internal/Update/CurrencyUpdateService.php+5 −5 modified@@ -41,23 +41,23 @@ class CurrencyUpdateService public function update(TransactionCurrency $currency, array $data): TransactionCurrency { if (array_key_exists('code', $data) && '' !== (string)$data['code']) { - $currency->code = $data['code']; + $currency->code = e($data['code']); } if (array_key_exists('symbol', $data) && '' !== (string)$data['symbol']) { - $currency->symbol = $data['symbol']; + $currency->symbol = e($data['symbol']); } if (array_key_exists('name', $data) && '' !== (string)$data['name']) { - $currency->name = $data['name']; + $currency->name = e($data['name']); } if (array_key_exists('enabled', $data) && is_bool($data['enabled'])) { - $currency->enabled = $data['enabled']; + $currency->enabled = (bool) $data['enabled']; } if (array_key_exists('decimal_places', $data) && is_int($data['decimal_places'])) { - $currency->decimal_places = $data['decimal_places']; + $currency->decimal_places = (int) $data['decimal_places']; } $currency->save();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mwxw-hxvp-4r2rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-1789ghsaADVISORY
- github.com/firefly-iii/firefly-iii/commit/6b05c0fbd3e8c40ae9b24dc2698821786fccf0c5ghsaWEB
- github.com/firefly-iii/firefly-iii/pull/7043ghsaWEB
- huntr.dev/bounties/2c3489f7-6b84-48f8-9368-9cea67cf373dghsaWEB
News mentions
0No linked articles in our index yet.