Login Sign Up

CVE-2023-1788

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2023-1788 is an insufficient session expiration vulnerability in Firefly III personal finance software that allows attackers to maintain access to user sessions indefinitely after logout. This affects all Firefly III instances running versions prior to 6.0.0, potentially enabling unauthorized access to financial data.

💻 Affected Systems

Products:
  • Firefly III
Versions: All versions prior to 6.0.0
Operating Systems: All platforms running Firefly III
Default Config Vulnerable: ⚠️ Yes
Notes: All Firefly III installations are affected regardless of configuration.

📦 What is this software?

Firefly Iii by Firefly Iii

View all CVEs affecting Firefly Iii →

Firefly Iii by Firefly Iii

View all CVEs affecting Firefly Iii →

Firefly Iii by Firefly Iii

View all CVEs affecting Firefly Iii →

Firefly Iii by Firefly Iii

View all CVEs affecting Firefly Iii →

Firefly Iii by Firefly Iii

View all CVEs affecting Firefly Iii →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain persistent access to user accounts, leading to complete financial data exposure, unauthorized transactions, and potential account takeover.

🟠

Likely Case

Session hijacking allowing attackers to access sensitive financial information and perform unauthorized actions within compromised sessions.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though session data remains at risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires initial authentication but session persistence is trivial once obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.0 and later

Vendor Advisory: https://github.com/firefly-iii/firefly-iii/commit/68f398f97cbe1870fc098d8460bf903b9c3fab30

Restart Required: Yes

Instructions:

1. Backup your Firefly III database and configuration. 2. Update to Firefly III version 6.0.0 or later via git pull or package manager. 3. Run database migrations: php artisan migrate. 4. Restart the web server/service.

🔧 Temporary Workarounds

Manual Session Cleanup

all

Implement custom session cleanup scripts to force session expiration

php artisan session:table
php artisan migrate
Configure session cleanup in config/session.php

🧯 If You Can't Patch

  • Implement network segmentation to isolate Firefly III from untrusted networks
  • Enable aggressive session timeout policies and force logout all users

🔍 How to Verify

Check if Vulnerable:

Check Firefly III version in web interface or via command: php artisan --version

Check Version:

php artisan --version

Verify Fix Applied:

Verify version is 6.0.0 or higher and test that sessions properly expire after logout

📡 Detection & Monitoring

Log Indicators:

  • Multiple successful logins from same session ID over extended periods
  • Session IDs persisting beyond configured timeout

Network Indicators:

  • Unusual session duration patterns
  • Multiple requests with same session token over hours/days

SIEM Query:

source="firefly-iii" AND (event="login" OR event="session") | stats count by session_id, user | where count > 10 AND duration > 3600

📊 Metadata

CVE ID: CVE-2023-1788
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-613
Published: April 5, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1788, you might also want to check these:

CVE-2024-8888 10.0

An attacker on the same network as a vulnerable CIRCUTOR Q-SMT device can steal authentication token...

Same vulnerability type (CWE-613)
CVE-2023-5865 9.8

This vulnerability in phpMyFAQ allows attackers to maintain access to user sessions beyond intended ...

Same vulnerability type (CWE-613)
CVE-2024-25718 9.8

This vulnerability in the Samly package for Elixir allows expired authentication sessions to remain ...

Same vulnerability type (CWE-613)