Login Sign Up

CVE-2021-3901

8.8 HIGH
Authentication Bypass CSRF

📋 TL;DR

CVE-2021-3901 is a Cross-Site Request Forgery (CSRF) vulnerability in Firefly III personal finance software that allows attackers to trick authenticated users into performing unintended actions. This affects all Firefly III users with active sessions, potentially leading to unauthorized financial transactions or account modifications.

💻 Affected Systems

Products:
  • Firefly III
Versions: Versions before commit b42d8d1e305cad70d9b83b33cd8e0d7a4b2060c2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Firefly III installations with web interface accessible are affected. The vulnerability exists in the web application layer.

📦 What is this software?

Firefly Iii by Firefly Iii

View all CVEs affecting Firefly Iii →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate financial data, create fraudulent transactions, modify account settings, or delete financial records without the user's knowledge.

🟠

Likely Case

Unauthorized financial transactions or account modifications performed by tricking authenticated users into clicking malicious links.

🟢

If Mitigated

With proper CSRF protections and user awareness, impact is limited to failed attack attempts with no successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

CSRF attacks require user interaction but are well-understood and easy to implement. The vulnerability was publicly disclosed with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit b42d8d1e305cad70d9b83b33cd8e0d7a4b2060c2 and later

Vendor Advisory: https://github.com/firefly-iii/firefly-iii/commit/b42d8d1e305cad70d9b83b33cd8e0d7a4b2060c2

Restart Required: Yes

Instructions:

1. Update Firefly III to the latest version. 2. Apply commit b42d8d1e305cad70d9b83b33cd8e0d7a4b2060c2. 3. Restart the web server. 4. Clear browser caches for all users.

🔧 Temporary Workarounds

Enable CSRF Protection

all

Ensure CSRF tokens are properly implemented and validated for all state-changing requests.

Check that 'VerifyCsrfToken' middleware is enabled in app/Http/Middleware

SameSite Cookie Restrictions

all

Configure session cookies with SameSite=Strict or Lax attributes to prevent cross-site requests.

Set 'session.cookie_samesite' to 'Strict' in .env configuration

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to detect and block CSRF patterns
  • Educate users about phishing risks and safe browsing practices

🔍 How to Verify

Check if Vulnerable:

Check if your Firefly III version predates commit b42d8d1e305cad70d9b83b33cd8e0d7a4b2060c2

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify that CSRF tokens are present in all forms and validated on submission

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed CSRF token validations from same IP
  • Unusual POST requests without referrer headers

Network Indicators:

  • Cross-origin requests to Firefly III endpoints
  • Requests missing CSRF tokens

SIEM Query:

source="firefly-iii" AND (event="csrf_token_mismatch" OR status=419)

📊 Metadata

CVE ID: CVE-2021-3901
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: October 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3901, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)