CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-55076: Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.

8.1 CVSS

Description

Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.

Classification

CVE ID: CVE-2024-55076

CVSS Base Severity: HIGH

CVSS Base Score: 8.1

Affected Products

Vendor: Grocy project

Product: Grocy

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://m10x.de/posts/2024/11/all-your-recipe-are-belong-to-us-part-1/3-stored-xss-csrf-and-broken-access-control-vulnerabilities-in-grocy/

Timeline