CVE-2024-55076

Name
CVE-2024-55076
Description
Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
cve@mitre.org https://m10x.de/posts/2024/11/all-your-recipe-are-belong-to-us-part-1/3-stored-xss-csrf-and-broken-access-control-vulnerabilities-in-grocy/

Match rules

CPE URI Source package Min version Max version
grocy >= 0 <= 4.3.0
cpe:2.3:a:grocy_project:grocy:*:*:*:*:*:*:*:* grocy >= None <= 4.3.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
grocy edge-community 4.3.0-r1 Will Sinatra <wpsinatra@gmail.com> possibly vulnerable
grocy edge-community 4.3.0-r0 Will Sinatra <wpsinatra@gmail.com> possibly vulnerable
grocy edge-community 4.2.0-r1 Will Sinatra <wpsinatra@gmail.com> possibly vulnerable
grocy 3.22-community 4.2.0-r1 Will Sinatra <wpsinatra@gmail.com> possibly vulnerable