CVE-2024-55074 — CVSS 8.8 (high): The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG…
CVE-2024-55076 — CVSS 8.1 (high): Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.
CVE-2023-48199 — CVSS 7.8 (high): HTML Injection vulnerability in the 'manageApiKeys' component in Grocy <= 4.0.3 allows attackers to inject arbitrary HTML content without…
CVE-2023-48866 — CVSS 5.4 (medium): A Cross-Site Scripting (XSS) vulnerability in the recipe preparation component within /api/objects/recipes and note component within…
CVE-2020-25454 — CVSS 5.4 (medium): Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe.
CVE-2023-48197 — CVSS 5.4 (medium): Cross-Site Scripting (XSS) vulnerability in the ‘manageApiKeys’ component of Grocy 4.0.3 and earlier allows attackers to obtain…
CVE-2023-48198 — CVSS 5.4 (medium): A Cross-Site Scripting (XSS) vulnerability in the 'product description' component within '/api/stock/products' of Grocy version <= 4.0.3…
CVE-2023-48200 — CVSS 5.4 (medium): Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via…
CVE-2024-55075 — CVSS 4.3 (medium): Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not shown in the UI, such…
CVE-2024-8370 — CVSS 3.5 (low): A vulnerability classified as problematic was found in Grocy up to 4.2.0. This vulnerability affects unknown code of the file…