Grocy Stored Cross-Site Scripting Vulnerability Leading to Privilege Escalation

A stored cross-site scripting vulnerability has been identified in Grocy versions through 4.3.0. This issue allows for privilege escalation by uploading a malicious HTML or SVG file, which is not properly validated, to the edit profile section. When the file is accessed by an administrator, the embedded script is executed, potentially leading to unauthorized actions such as changing an admin password.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded files are executed in the context of the user viewing the profile, and can be used to perform actions on behalf of that user, such as changing passwords.

Reproduction

To reproduce this vulnerability, upload a crafted HTML file containing a script that performs an action, such as changing a password, to the profile picture upload section. After uploading, remove any appended query parameters that force the file to be treated as an image. Once the file is accessed by an administrator, the script will execute and perform the specified action.