CVE-2024-37893: 
PHP vulnerability analysis and mitigation

Firefly III, a free and open source personal finance manager, was found to contain a Multi-Factor Authentication (MFA) bypass vulnerability (CVE-2024-37893) in its OAuth flow. The vulnerability was disclosed on June 17, 2024, affecting versions prior to 6.1.17. This security flaw allows malicious users to bypass the MFA check during the authentication process (GitHub Advisory).

The vulnerability exists in the OAuth flow implementation where OAuth applications are easily enumerable using an incrementing ID. This design flaw, combined with the MFA bypass, enables attackers to attempt signing an OAuth application up to a user's profile if they have created one. The attack requires knowledge of the victim's username and password. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability enables attackers to bypass MFA protection and potentially gain unauthorized access to Firefly III data. By combining this with password spraying techniques, attackers can attempt to compromise accounts using passwords stolen from other sources (OWASP Password Spraying, Menlo Security).

The vulnerability has been patched in Firefly III version 6.1.17 and later versions. For users unable to upgrade immediately, it is recommended to use a unique password for their Firefly III instance and store it securely in a password manager (GitHub Advisory).