CVE-2024-55074 is a stored Cross-site Scripting (XSS) vulnerability categorized under CWE-79, found in the Grocy project, an open-source web-based inventory and household management system. The vulnerability exists in the edit profile functionality of Grocy versions up to 4.3.0, where the application improperly neutralizes input during web page generation. Specifically, it allows an authenticated user with limited privileges to upload crafted HTML or SVG files containing malicious scripts. These scripts are stored and later executed in the context of the application when the profile is viewed, enabling an attacker to escalate privileges within the system. The vulnerability is distinct from CVE-2024-8370, indicating a separate flaw vector. The CVSS 3.1 score of 8.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Although no known exploits are currently reported in the wild, the potential for privilege escalation and persistent malicious code execution makes this a critical issue for Grocy deployments. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies.

The exploitation of CVE-2024-55074 can have severe consequences for organizations using Grocy. An attacker with limited privileges can upload malicious HTML or SVG files that execute arbitrary scripts, leading to stored XSS attacks. This can result in unauthorized access to sensitive data, session hijacking, and complete compromise of user accounts. The privilege escalation aspect means attackers can gain higher-level access, potentially allowing them to manipulate inventory data, disrupt operations, or pivot to other parts of the network. The vulnerability threatens confidentiality by exposing sensitive user and organizational data, integrity by allowing unauthorized data modification, and availability by potentially enabling denial-of-service conditions through malicious scripts. Given Grocy's use in managing critical inventory and household resources, such compromise could disrupt business processes and operational continuity. The network-based attack vector and lack of required user interaction increase the risk of widespread exploitation if left unmitigated.

To mitigate CVE-2024-55074 effectively, organizations should first apply any official patches or updates released by the Grocy project once available. In the absence of patches, administrators should implement strict input validation and sanitization on the server side, particularly for file uploads in the edit profile function, to reject or neutralize HTML and SVG content that could contain executable scripts. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources of executable content. Disable or restrict SVG file uploads if not essential, as SVG files can embed scripts. Conduct thorough code reviews and penetration testing focused on input handling and stored XSS vectors. Additionally, enforce the principle of least privilege for user roles to minimize the impact of any successful exploitation. Monitoring and logging of profile edits and file uploads can help detect suspicious activities early. Educate users about the risks of uploading untrusted content and maintain regular backups to recover from potential compromises.