How severe is CVE-2024-37893?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.9 out of 10.

What type of vulnerability is CVE-2024-37893?

This is classified as CWE-287, which is a common weakness in software security.

CVE-2024-37893 - MEDIUM Severity | CVSS 5.9

Vulnerability Description

Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager.

Related Vulnerabilities

CVE-2013-3096

MEDIUM

CVSS:5.9(Medium)

D-Link DIR865L v1.03 suffers from an "Unauthenticated Hardware Linking" vulnerability.

CWE-2872013

CVE-2013-5123

MEDIUM

CVSS:5.9(Medium)

The mirroring support (-M, --use-mirrors) in Python Pip before 1.5 uses insecure DNS querying and authenticity checks which allows attackers to perform man-in-the-middle attacks.

CWE-2872013

CVE-2014-10067

MEDIUM

CVSS:5.9(Medium)

paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacke...

CWE-2872014

CVE-2016-2124

MEDIUM

CVSS:5.9(Medium)

A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.

CWE-2872016

CVE-2017-12196

MEDIUM

CVSS:5.9(Medium)

undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header match...

CWE-2872017

CVE-2017-14117

MEDIUM

CVSS:5.9(Medium)

The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG599 devices, when IP Passthrough mode is not used, configures an unauthenticated proxy service on WAN TCP port 49152, which allows remo...

CWE-2872017