What is Firefly III?
Firefly III is an open-source application compatible with multiple devices. Firefly III tracks personal finances, including “any currency you want, including cryptocurrencies such as Bitcoin and Ethereum.” According to the official website, Firefly III is “a self-hosted financial manager. It can help you keep track of expenses, income, budgets, and everything in between. It supports credit cards, shared household accounts, and savings accounts. It’s pretty fancy. You should use it to save and organise money.” According to information gathered by Github from official Firefly III documentation, users wishing to run Firefly III may do so via the following steps;
The Firefly III Software Vulnerability
Github repository released a report on October 9th, 2021 informing the community about a high-risk software vulnerability affecting Firefly III. Another open-source exploit research database known as ‘huntr‘ released information about this on October 1st, 2021. The software vulnerability, technically speaking known as type arbitrary file upload, allows a cybercriminal to upload a malicious file on the server. The exploit is very simple and publicly available.
In-depth Technical Details
According to information from security reports, the vulnerability allows a remote attacker to compromise a vulnerable system. This particular vulnerability exists due to insufficient validation of a file during file upload while creating a new bill. Therefore, a remote attacker can upload a malicious file and execute it on the server.
Vulnerable Software Versions
The following versions of Firefly III are vulnerable to the above vulnerability; Firefly III: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.5.10, 5.5.11, 5.5.12, 5.5.13, 5.6.0, 5.6.1
Information For Firefly III Users
It is key for users to know that a public exploit is available for the Firefly III vulnerability. However, a fix has been released that addresses the issue. Users should immediately ensure that the software has been automatically upgraded to version 5.6.2 to avoid potential cybercrime dangers. More information about upgrades and installation for the latest version of Firefly III can be found here.