CVE-2024-8370

CVSS 3.1 Score 3.5 of 10 (low)

Details

Published Sep 1, 2024
Updated: Sep 3, 2024
CWE ID 79

Summary

CVE-2024-8370 is a vulnerability found in Grocy versions up to 4.2.0, specifically affecting the SVG File Upload Handler in the API endpoint /api/files/recipepictures/. This vulnerability allows for cross-site scripting (XSS) attacks through the manipulation of the argument force_serve_as with specific inputs. The potential danger includes unauthorized remote exploitation, although the project's security policy suggests that this vulnerability is considered "practically irrelevant" due to authentication requirements. Remediation steps are not explicitly provided; however, organizations should ensure they are running updated versions of Grocy and monitor for any patches or advisories from project maintainers. The current exploitability score is low, indicating a limited threat level under certain conditions, requiring user interaction for successful exploitation.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share