Grocy

Grocy

5 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.1

CVE-2024-55076

Exploit
  • EPSS 0.12%
  • Veröffentlicht 06.01.2025 21:15:15
  • Zuletzt bearbeitet 05.09.2025 14:07:09

Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.

5.3

CVE-2024-55075

Exploit
  • EPSS 0.07%
  • Veröffentlicht 06.01.2025 21:15:14
  • Zuletzt bearbeitet 29.09.2025 17:47:24

Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not shown in the UI, such as calendar and recipes.

9

CVE-2024-55074

Exploit
  • EPSS 0.12%
  • Veröffentlicht 06.01.2025 20:15:39
  • Zuletzt bearbeitet 05.09.2025 00:23:07

The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370.

5.4

CVE-2024-8370

Exploit
  • EPSS 0.2%
  • Veröffentlicht 01.09.2024 22:15:14
  • Zuletzt bearbeitet 29.09.2025 13:59:14

A vulnerability classified as problematic was found in Grocy up to 4.2.0. This vulnerability affects unknown code of the file /api/files/recipepictures/ of the component SVG File Upload Handler. The manipulation of the argument force_serve_as with th...

4.8

CVE-2020-15253

Exploit
  • EPSS 0.62%
  • Veröffentlicht 14.10.2020 19:15:13
  • Zuletzt bearbeitet 21.11.2024 05:05:12

Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shop...