Grocy Project: >> Grocy >> 2.4.0 Security Vulnerabilities
Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.
CVSS Score
8.1
EPSS Score
0.0
Published
2025-01-06
The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-01-06
A Cross-Site Scripting (XSS) vulnerability in the recipe preparation component within /api/objects/recipes and note component within /api/objects/shopping_lists/ of Grocy <= 4.0.3 allows attackers to obtain the victim's cookies.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-12-04
Grocy <= 4.0.2 is vulnerable to Cross Site Request Forgery (CSRF).
CVSS Score
8.8
EPSS Score
0.002
Published
2023-09-15