VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 5, 2024· Updated Jun 5, 2025

CVE-2024-22075

CVE-2024-22075

Description

Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Firefly III before 6.1.1 contains an HTML injection vulnerability in webhooks that can lead to XSS when combined with a deliberate sanitization bypass in the Vue.js front end.

Vulnerability

Overview CVE-2024-22075 is an HTML injection vulnerability in Firefly III, a personal finances manager, affecting versions before 6.1.1. The issue resides in the webhooks functionality, where user-controlled data is rendered without proper sanitization. According to Sonar's analysis, the Vue.js front end deliberately bypasses the framework's built-in sanitization (e.g., using bypassSecurityTrustHtml) to render rich content, but does so with attacker-controllable input, creating an XSS vector.[1]

## Exploitation & Attack Surface An attacker must have the ability to submit or modify webhook data (which may require authenticated access, depending on the deployment). The attack is chained with a client-side path traversal issue that allows the attacker to inject arbitrary HTML or JavaScript into the rendered page. No special network position is required if the attacker can craft a malicious webhook payload.[1]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This could lead to data theft, session hijacking, or defacement. The impact is heightened because Firefly III manages sensitive financial information.[1]

Mitigation

Firefly III version 6.1.1 patches this vulnerability by properly sanitizing webhook input and fixing the underlying path traversal. Users should upgrade immediately. The fix is included in commit 28021aa, which also addresses related date-parsing exception handling.[3][4]

References
  1. Front-End Frameworks: When Bypassing Built-in Sanitization Might Backfire
  2. NVD - CVE-2024-22075
  3. Fix vulnerabilities reported by Stefan Schiller from Sonar. Thanks! · firefly-iii/firefly-iii@28021aa

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
grumpydictator/firefly-iiiPackagist
< 6.1.16.1.1

Affected products

2

Patches

1
28021aa71150

Fix vulnerabilities reported by Stefan Schiller from Sonar. Thanks!

https://github.com/firefly-iii/firefly-iiiJames ColeDec 20, 2023via ghsa
commit
4 files changed · +7 5
  • app/Services/Internal/Update/JournalUpdateService.php+2 1 modified
    @@ -25,6 +25,7 @@
 
 use Carbon\Carbon;
 use Carbon\Exceptions\InvalidDateException;
+use Carbon\Exceptions\InvalidFormatException;
 use FireflyIII\Events\TriggeredAuditLog;
 use FireflyIII\Exceptions\FireflyException;
 use FireflyIII\Factory\TagFactory;
@@ -662,7 +663,7 @@ private function updateMetaDateFields(): void
             if ($this->hasFields([$field])) {
                 try {
                     $value = '' === (string)$this->data[$field] ? null : new Carbon($this->data[$field]);
-                } catch (InvalidDateException $e) { // @phpstan-ignore-line
+                } catch (InvalidDateException|InvalidFormatException $e) { // @phpstan-ignore-line
                     app('log')->debug(sprintf('%s is not a valid date value: %s', $this->data[$field], $e->getMessage()));
 
                     return;
  • app/Support/Binder/Date.php+3 2 modified
    @@ -25,6 +25,7 @@
 
 use Carbon\Carbon;
 use Carbon\Exceptions\InvalidDateException;
+use Carbon\Exceptions\InvalidFormatException;
 use FireflyIII\Helpers\Fiscal\FiscalHelperInterface;
 use Illuminate\Routing\Route;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
@@ -71,10 +72,10 @@ public static function routeBinder(string $value, Route $route): Carbon
 
         try {
             $result = new Carbon($value);
-        } catch (InvalidDateException $e) { // @phpstan-ignore-line
+        } catch (InvalidDateException|InvalidFormatException $e) { // @phpstan-ignore-line
             $message = sprintf('Could not parse date "%s" for user #%d: %s', $value, auth()->user()->id, $e->getMessage());
             app('log')->error($message);
-            throw new NotFoundHttpException($message, $e);
+            throw new NotFoundHttpException('Could not parse value', $e);
         }
 
         return $result;
  • public/v1/js/webhooks/edit.js+1 1 modified
  • resources/assets/js/components/webhooks/Edit.vue+1 1 modified
    @@ -119,7 +119,7 @@ export default {
   methods: {
     getWebhook: function () {
       const page = window.location.href.split('/');
-      const webhookId = page[page.length - 1];
+      const webhookId = parseInt(page[page.length - 1]);
       this.downloadWebhook(webhookId);
     },
     downloadWebhook: function (id) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.