The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a crafted HTML or SVG file, a different issue than CVE-2024-8370.
https://m10x.de/posts/2024/11/all-your-recipe-are-belong-to-us-part-1/3-stored-xss-csrf-and-broken-access-control-vulnerabilities-in-grocy/
Source: Mitre, NVD
Published: 2025-01-06
Updated: 2025-09-05
Base Score: 9
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C
Severity: High
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Severity: Critical
EPSS: 0.00078