Grocy CSRF Vulnerability Allowing Password Change for Administrators

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Grocy versions through 4.3.0. The application lacks CSRF protection, as the session token does not have security flags and no countermeasures are implemented. This vulnerability allows users to change the password of the administrator by exploiting the absence of CSRF safeguards.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, potentially leading to unauthorized access as an administrator.

Reproduction

To reproduce this vulnerability, upload a file containing a crafted HTML payload to the profile picture upload feature. The uploaded file can include a script that, when executed by an administrator, sends a request to change the password of the user with ID 1 (the default administrator). After the password is changed, log in using the new password. This vulnerability can also be reproduced by directly calling the password change API endpoint with the same payload, taking advantage of the lack of CSRF protection.