Grocy Project: >> Grocy >> 4.3.0 Security Vulnerabilities
Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.
CVSS Score
8.1
EPSS Score
0.0
Published
2025-01-06
Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not shown in the UI, such as calendar and recipes.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-01-06
The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-01-06