CVE-2024-22075: 
PHP vulnerability analysis and mitigation

CVE-2024-22075 affects Firefly III versions before 6.1.1, allowing webhooks HTML Injection. The vulnerability was discovered and reported by Stefan Schiller from Sonar, and was fixed with the release of version 6.1.1 on December 26, 2023 (Firefly Release).

The vulnerability involves a combination of Client-Side Path Traversal (CSPT) and a deliberate sanitization bypass in Vue.js. The issue stems from using the v-html directive to bypass Vue.js's built-in sanitization, coupled with unsanitized user input from URL parameters that could traverse to unintended API endpoints. The vulnerability has a CVSS v3.1 base score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD Database).

While the vulnerability could potentially allow HTML injection, its impact was limited due to Firefly III's strong Content-Security-Policy (CSP). An attacker could still inject arbitrary HTML or CSS into the page, potentially enabling phishing attacks through page redirects or using CSS data exfiltration techniques (Sonar Blog).

The vulnerability was patched in Firefly III version 6.1.1 with two key fixes: converting the webhookId extracted from the URL to an integer, and modifying the error message handling to prevent dynamic data inclusion. Users should upgrade to version 6.1.1 or later to address this vulnerability (Firefly Release).

The vulnerability was responsibly disclosed by Sonar's security research team, with the Firefly III maintainers acknowledging and quickly addressing the issue. The security community has highlighted this as an example of how bypassing built-in framework sanitization can lead to security vulnerabilities, even when other security measures like CSP are in place (Sonar Blog).