CVE-2024-8370

Name of the Vulnerable Software and Affected Versions: Grocy versions up to 4.2.0

Description: A problematic vulnerability was found in the SVG File Upload Handler component of Grocy, affecting the /api/files/recipepictures/ path. The manipulation of the force serve as argument with the input picture leads to cross-site scripting. The attack can be initiated remotely. The real existence of this vulnerability is still doubted, and the project maintainer does not want to be quoted regarding the dispute rationale. The security policy of the project implies that this finding is "practically irrelevant" due to authentication requirements. Some increased actor activities are shown targeting Grocy.

Recommendations: To safeguard your system, ensure you update to the latest version and apply all recommended patches. As a temporary workaround, consider restricting access to the /api/files/recipepictures/ path in the SVG File Upload Handler component until a patch is available. Avoid using the force serve as argument with the input picture in the affected API endpoint until the issue is resolved.