CVE-2024-37893

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-37893

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37893.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-37893

Aliases

GHSA-4gm4-c4mh-4p7w

Published

2024-06-17T19:39:32.438Z

Modified

2026-04-10T05:15:32.289657Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

MFA bypass in oauth flow in Firefly III

Details

Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287",
        "CWE-288"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37893.json"
}

References

Affected packages

Git / github.com/firefly-iii/firefly-iii

Affected ranges

Type

GIT

Repo

https://github.com/firefly-iii/firefly-iii

Events

Introduced

Fixed

2d7d05e985059af8fcb8f012013342a566c463ca

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.1.17"
        }
    ]
}

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.1

3.1.1

3.1.3

3.1.4

3.1.5

3.10

3.10.1

3.10.2

3.10.3

3.10.4

3.2.5

3.3

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.4.10

3.4.11

3.4.6.1

3.4.7

3.4.8

3.4.9

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.6.1

3.6.0

3.6.1

3.7.0

3.7.1

3.7.2

3.7.2.1

3.7.2.2

3.7.2.3

3.8.0

3.8.1

3.8.2

3.8.3

3.8.4

3.9.0

3.9.1

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.2.0

4.2.1

4.2.2

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

4.6.0

4.6.1

4.6.10

4.6.11

4.6.11.1

4.6.12

4.6.13

4.6.2

4.6.3

4.6.3.1

4.6.4

4.6.5

4.6.6

4.6.7

4.6.8

4.6.9

4.7.0

4.7.1

4.7.1.1

4.7.1.2

4.7.1.3

4.7.1.4

4.7.10

4.7.11

4.7.12

4.7.12.1

4.7.13

4.7.14

4.7.15

4.7.16

4.7.17

4.7.17.1

4.7.17.2

4.7.17.3

4.7.17.4

4.7.17.5

4.7.17.6

4.7.2

4.7.2.1

4.7.2.2

4.7.3

4.7.3.1

4.7.3.2

4.7.4

4.7.5

4.7.5.1

4.7.5.2

4.7.5.3

4.7.6

4.7.6.1

4.7.6.2

4.7.7

4.7.8

4.7.9

4.8.0

4.8.0.1

4.8.0.2

4.8.0.3

4.8.1

4.8.1.1

4.8.1.2

4.8.1.3

4.8.1.4

4.8.1.5

4.8.1.6

4.8.1.7

4.8.1.8

4.8.2

4.8.2-alpha.1

4.8.2-alpha.2

4.8.2-alpha.3

4.8.2-alpha.4

4.8.2-alpha.5

4.8.2-alpha.6

4.8.2-beta.1

4.8.2-beta.2

4.8.3-alpha.1

5.*

5.0.0

5.0.0-alpha.1

5.0.0-alpha.2

5.0.0-beta.1

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1.0

5.1.0-alpha.1

5.1.0-beta.1

5.1.1

5.2.0

5.2.0-alpha.1

5.2.0-beta.1

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

5.3.0

5.3.0-alpha.1

5.3.0-beta.1

5.3.0-beta.2

5.3.1

5.3.2

5.3.3

5.4.0

5.4.0-alpha.1

5.4.0-alpha.2

5.4.0-alpha.3

5.4.0-beta.1

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.6

5.5.0

5.5.0-beta.1

5.5.0-beta.2

5.5.0-beta.3

5.5.1

5.5.10

5.5.11

5.5.12

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.7

5.5.8

5.5.9

5.6.0

5.6.0-alpha.1

5.6.0-alpha.2

5.6.1

5.6.10

5.6.11

5.6.12

5.6.13

5.6.14

5.6.15

5.6.16

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

5.6.8

5.6.9

5.7.0

5.7.1

5.7.10

5.7.11

5.7.12

5.7.13

5.7.14

5.7.15

5.7.16

5.7.17

5.7.18

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.9

5.8.0-alpha.1

6.*

6.0.0-alpha.1

6.0.0-alpha.2

6.0.0-beta.1

6.0.9

Other

account-repos

chart-fix

develop-20240128

develop-20240129

develop-20240130

develop-20240201

develop-20240205

develop-20240311

develop-20240314

develop-20240318

develop-20240319

develop-20240321

develop-20240325

develop-20240327

develop-20240328

develop-20240331

develop-20240401

develop-20240402

develop-20240403

develop-20240404

develop-20240407

develop-20240408

develop-20240411

develop-20240415

develop-20240418

develop-20240421

develop-20240422

develop-20240425

develop-20240426

develop-20240429

develop-20240430

develop-20240502

develop-20240506

develop-20240513

develop-20240518

develop-20240331.*

develop-20240331.1

develop-20240401.*

develop-20240401.1

develop-20240407.*

develop-20240407.1

develop-20240418.*

develop-20240418.1

develop-20240516.*

develop-20240516.1

v6.*

v6.0.0

v6.0.0-beta.1

v6.0.0-beta.2

v6.0.1

v6.0.10

v6.0.11

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.9

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.8

v6.1.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37893.json"