CVE-2024-55076

CVE-2024-55076 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, affecting Grocy through version 4.3.0. This open-source self-hosted grocery and household management application lacks CSRF protection entirely, enabling unauthorized actions on behalf of authenticated users. The issue is demonstrated by an attacker's ability to change the administrator's password via a forged request.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation by unauthenticated attackers over the network, though it requires high attack complexity. Attackers can trick logged-in users into submitting malicious requests—such as via a crafted webpage or link—forcing actions like password changes without the user's knowledge or consent. This leads to high impacts on confidentiality, integrity, and availability, potentially allowing full administrative account takeover and subsequent control over the Grocy instance.

Advisories detail the vulnerability in the context of multiple issues in Grocy, including stored XSS and broken access control, as documented at https://m10x.de/posts/2024/11/all-your-recipe-are-belong-to-us-part-1/3-stored-xss-csrf-and-broken-access-control-vulnerabilities-in-grocy/. Security practitioners should consult this reference for exploitation proofs and recommended mitigations, such as upgrading to a patched version beyond 4.3.0 if available.