grumpydictator/firefly-iii is vulnerable to cross-site scripting (XSS). The attack is possible because it does not escape the user provided data in transaction description field and in asset account name, allowing an attacker to inject malicious script in a convert transaction to get executed upon a user’s visit to the page.
CPE | Name | Operator | Version |
---|---|---|---|
grumpydictator/firefly-iii | le | 4.7.17.3 |