php · grumpydictator/firefly-iiiHeads-up
Firefly III Stored XSS in Piggy Bank Names via Audit Logs
Stored XSS vulnerability: piggy bank names are rendered unsanitized in audit log views, allowing arbitrary JavaScript execution.
What changed
Stored XSS vulnerability: piggy bank names are rendered unsanitized in audit log views, allowing arbitrary JavaScript execution.
Who it affects
All Firefly III instances v6.6.2 and earlier where users can create piggy banks and view transaction audit logs.
What to do today
Apply the fix from PR #12271: add `|e` filter to `logEntry.after.piggy` in `resources/views/list/ale.twig`.
The trail
Collected→
Audited→
Written→
Published