Firefly III, Incorrect Authorization, CVE-2023-0298 (Medium)

Listen to this Post

The vulnerability stems from an authorization inconsistency within the User management controller, specifically a “1-of-N” flaw where certain methods lack proper role verification . While the `store()` and `destroy()` methods correctly check for the ‘owner’ role, the `index()` and `show()` methods at `/api/v1/users` and `/api/v1/users/{id}` are accessible to any authenticated user. This occurs because the route group in `routes/api.php` lacks the necessary admin middleware, only applying the global `auth:api` middleware. Consequently, a standard user can enumerate all accounts via the UserTransformer, which exposes sensitive details like email addresses, roles (owner/demo), and account status (blocked/block reason), leading to a medium-severity information disclosure .

dailycve form:

Platform: Firefly III
Version: prior 5.8.0
Vulnerability : Incorrect Authorization
Severity: 6.5 Medium
date: 2023-01-18

Prediction: already patched

What Undercode Say:

Analytics:

The vulnerability is caused by missing authorization checks in API controllers, a common oversight in web development. The `index` and `show` methods, located at `UserController.php` lines 94 and 126, lack the role validation present in other methods like `store` and destroy. The route group at `routes/api.php:734-747` is only protected by auth:api, not an admin-specific middleware, allowing any authenticated user to query these endpoints.

Exploit:

List all users (enumerate emails and roles)
curl -H "Authorization: Bearer <any_user_token>" https://instance/api/v1/users
View details of a specific user by ID
curl -H "Authorization: Bearer <any_user_token>" https://instance/api/v1/users/1

Protection:

Upgrade to Firefly III version 5.8.0 or later, where the patch implements proper role checks . As a temporary workaround, administrators can manually add middleware to the route group or inject ownership validation into the `index()` and `show()` methods as shown below.

Impact:

Any authenticated user can harvest all email addresses for phishing, identify high-privilege owner accounts for targeted attacks, and enumerate blocked accounts to understand internal security postures. This compromises user privacy and aids in social engineering campaigns.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top