CVE-2024-8370
CVSS 3.1 Score 3.5 of 10 (low)
Details
Summary
CVE-2024-8370 is a vulnerability found in Grocy versions up to 4.2.0, specifically affecting the SVG File Upload Handler in the API endpoint /api/files/recipepictures/. This vulnerability allows for cross-site scripting (XSS) attacks through the manipulation of the argument force_serve_as with specific inputs. The potential danger includes unauthorized remote exploitation, although the project's security policy suggests that this vulnerability is considered "practically irrelevant" due to authentication requirements. Remediation steps are not explicitly provided; however, organizations should ensure they are running updated versions of Grocy and monitor for any patches or advisories from project maintainers. The current exploitability score is low, indicating a limited threat level under certain conditions, requiring user interaction for successful exploitation.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.