CVE-2020-27981: Cross-site Scripting

October 28, 2020 (updated November 3, 2020)

An XSS vulnerability in the auto-complete function of the description field (for new or edited transactions) in Firefly III allows the user to execute JavaScript via suggested transaction titles. NOTE: this is exploitable only in a non-default configuration where Content Security Policy headers are disabled.

References

github.com/firefly-iii/firefly-iii/issues/3990
nvd.nist.gov/vuln/detail/CVE-2020-27981

Code Behaviors & Features

Detect and mitigate CVE-2020-27981 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →