CVE-2024-55075

MEDIUM

Grocy <4.3.0 - Info Disclosure

Title source: llm

Description

Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not shown in the UI, such as calendar and recipes.

References (1)

[Exploit, Third Party Advisory] https://m10x.de/posts/2024/11/all-your-recipe-are-belong-to-us-part-1/3-stored-xss-csrf-and-broken-access-control-vulnerabilities-in-grocy/

Scores

CVSS v3 4.3

EPSS 0.0005

EPSS Percentile 14.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-425

Status published

Products (1)

grocy_project/grocy < 4.3.0

Published Jan 06, 2025

Tracked Since Feb 18, 2026