Login Sign Up

CVE-2024-55074

8.8 HIGH
Cross-Site Scripting

📋 TL;DR

This stored XSS vulnerability in Grocy's edit profile function allows attackers to upload malicious HTML or SVG files that execute arbitrary JavaScript when viewed. This can lead to privilege escalation by compromising admin accounts. All Grocy users up to version 4.3.0 are affected.

💻 Affected Systems

Products:
  • Grocy
Versions: through 4.3.0
Operating Systems: All platforms running Grocy
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the edit profile function specifically; different from CVE-2024-8370.

📦 What is this software?

Grocy by Grocy Project

View all CVEs affecting Grocy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through admin account takeover, data theft, and complete control over the Grocy instance.

🟠

Likely Case

Session hijacking, data manipulation, and unauthorized access to sensitive household inventory data.

🟢

If Mitigated

Limited impact with proper input validation and output encoding preventing script execution.

🌐 Internet-Facing: HIGH - Web applications with user upload functionality are prime targets for XSS attacks.
🏢 Internal Only: MEDIUM - Internal users could still exploit this, but attack surface is smaller.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction (viewing malicious content) and file upload capability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 4.3.0

Vendor Advisory: https://github.com/grocy/grocy/security/advisories

Restart Required: No

Instructions:

1. Update Grocy to the latest version. 2. Verify the edit profile function properly validates and sanitizes file uploads. 3. Clear any cached malicious files.

🔧 Temporary Workarounds

Disable file uploads in edit profile

all

Temporarily disable HTML/SVG file upload functionality in the edit profile feature.

Modify Grocy configuration to restrict file upload types

Implement Content Security Policy

all

Add CSP headers to prevent execution of inline scripts and untrusted sources.

Add 'Content-Security-Policy' header with script-src 'self'

🧯 If You Can't Patch

  • Implement strict file type validation to block HTML/SVG uploads
  • Deploy WAF with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if Grocy version is 4.3.0 or earlier and test if edit profile accepts HTML/SVG files.

Check Version:

Check Grocy web interface footer or configuration files for version number

Verify Fix Applied:

Test that HTML/SVG files are properly sanitized or rejected when uploaded via edit profile.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads to edit profile
  • HTML/SVG files in upload directories
  • JavaScript errors from unexpected sources

Network Indicators:

  • Requests for uploaded HTML/SVG files with suspicious content

SIEM Query:

source="grocy" AND (file_upload="*.html" OR file_upload="*.svg")

📊 Metadata

CVE ID: CVE-2024-55074
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-79
EPSS Score: 0.15% exploit probability (35th percentile)
Published: January 6, 2025
Last Updated: September 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55074, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)