A vulnerability classified as problematic was found in Grocy up to 4.2.0. This vulnerability affects unknown code of the file /api/files/recipepictures/ of the component SVG File Upload Handler. The manipulation of the argument force_serve_as with the input picture' leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. Unfortunately, the project maintainer does not want to be quoted in any way regarding the dispute rationale. The security policy of the project implies that this finding is "practically irrelevant" due to authentication requirements.
References
| Link | Resource |
|---|---|
| https://vuldb.com/?ctiid.276274 | Permissions Required VDB Entry |
| https://vuldb.com/?id.276274 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.400844 | Third Party Advisory VDB Entry Exploit |
Configurations
History
29 Sep 2025, 13:59
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Grocy Project grocy
Grocy Project |
|
| References | () https://vuldb.com/?ctiid.276274 - Permissions Required, VDB Entry | |
| References | () https://vuldb.com/?id.276274 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?submit.400844 - Third Party Advisory, VDB Entry, Exploit | |
| CPE | cpe:2.3:a:grocy_project:grocy:*:*:*:*:*:*:*:* |
Information
Published : 2024-09-01 22:15
Updated : 2025-09-29 13:59
NVD link : CVE-2024-8370
Mitre link : CVE-2024-8370
CVE.ORG link : CVE-2024-8370
JSON object : View
Products Affected
grocy_project
- grocy
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')