As far as easily exploitable and already publicly exploited software vulnerabilities affecting key software products is concerned, this month of October has been particularly notable. Ironically, October is traditionally observed as cybersecurity awareness month in the tech community. As the community gathers to reflect on cybersecurity, notorious types of malware propagated by higher-tier cybercriminals such as ransomware, as well as cybersecurity incidents such as high-profile data leaks, continue to affect airlines, healthcare, and big tech this month.
What is Firefly III?
Firefly III is an open-source application compatible with multiple devices. Firefly III tracks personal finances, including “any currency you want, including cryptocurrencies such as Bitcoin and Ethereum.” According to the official website, Firefly III is “a self-hosted financial manager. It can help you keep track of expenses, income, budgets, and everything in between. It supports credit cards, shared household accounts, and savings accounts. It’s pretty fancy. You should use it to save and organise money.”
According to information gathered by Github from official Firefly III documentation, users wishing to run Firefly III may do so via the following steps;
- There is a demo site with an example financial administration already present.
- You can install it on your server.
- You can run it using Docker.
- You can install it using Softaculous.
- You can install it using AMPPS.
- You can install it on Cloudron.
- You can install it on Lando.
- You can install it on Yunohost
The Firefly III Software Vulnerability
Github repository released a report on October 9th, 2021 informing the community about a high-risk software vulnerability affecting Firefly III. Another open-source exploit research database known as ‘huntr‘ released information about this on October 1st, 2021. The software vulnerability, technically speaking known as type arbitrary file upload, allows a cybercriminal to upload a malicious file on the server. The exploit is very simple and publicly available.
In-depth Technical Details
According to information from security reports, the vulnerability allows a remote attacker to compromise a vulnerable system. This particular vulnerability exists due to insufficient validation of a file during file upload while creating a new bill. Therefore, a remote attacker can upload a malicious file and execute it on the server.
Vulnerable Software Versions
The following versions of Firefly III are vulnerable to the above vulnerability;
Firefly III: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.5.10, 5.5.11, 5.5.12, 5.5.13, 5.6.0, 5.6.1
Information For Firefly III Users
It is key for users to know that a public exploit is available for the Firefly III vulnerability. However, a fix has been released that addresses the issue. Users should immediately ensure that the software has been automatically upgraded to version 5.6.2 to avoid potential cybercrime dangers. More information about upgrades and installation for the latest version of Firefly III can be found here.