GHSA-29w6-c52g-m8jc: 
PHP vulnerability analysis and mitigation

A CSV injection vulnerability (GHSA-29w6-c52g-m8jc) was discovered in Firefly III versions prior to 6.1.7. The vulnerability was published and reviewed on January 31, 2024, affecting the composer package grumpydictator/firefly-iii. The issue received a moderate severity rating with a CVSS score of 4.0 (GitHub Advisory).

The vulnerability involves the 'Export Data' functionality in Firefly III, where untrusted user input in CSV files could potentially lead to unauthorized access or data manipulation. The vulnerability has been assigned a CVSS v3.1 base score of 4.0 with the following metrics: Local attack vector, Low attack complexity, High privileges required, Required user interaction, Unchanged scope, and Low impact on confidentiality, integrity, and availability (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L) (GitHub Advisory).

According to the developer (JC5), there is zero impact on normal users, even on vulnerable versions. However, the potential risk exists when a user exports data as a CSV file from the application, particularly from the demo site, and opens it with Excel software that supports macros (GitHub Advisory).

The vulnerability has been patched in version 6.1.7 of Firefly III. Users are advised to upgrade to this version or later to mitigate the risk (GitHub Advisory).