Skip to main content

Grocy CVE-2023-48198

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-11-15 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 15, 2023 - 23:15 nvd
MEDIUM 5.4

DescriptionNVD

A Cross-Site Scripting (XSS) vulnerability in the 'product description' component within '/api/stock/products' of Grocy version <= 4.0.3 allows attackers to obtain a victim's cookies.

AnalysisAI

A Cross-Site Scripting (XSS) vulnerability in the 'product description' component within '/api/stock/products' of Grocy version <= 4.0.3 allows attackers to obtain a victim's cookies. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A Cross-Site Scripting (XSS) vulnerability in the 'product description' component within '/api/stock/products' of Grocy version <= 4.0.3 allows attackers to obtain a victim's cookies. Affected products include: Grocy Project Grocy.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Grocy

View all
CVE-2023-42270 HIGH POC
8.8 Sep 15

Grocy <= 4.0.2 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is

CVE-2023-48199 HIGH POC
7.8 Nov 15

HTML Injection vulnerability in the 'manageApiKeys' component in Grocy <= 4.0.3 allows attackers to inject arbitrary HTM

CVE-2023-48200 MEDIUM POC
5.4 Nov 15

Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensiti

CVE-2023-48197 MEDIUM POC
5.4 Nov 15

Cross-Site Scripting (XSS) vulnerability in the ‘manageApiKeys’ component of Grocy 4.0.3 and earlier allows attackers to

CVE-2020-25454 MEDIUM POC
5.4 Nov 18

Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the

CVE-2024-8370 MEDIUM POC
5.3 Sep 01

A vulnerability classified as problematic was found in Grocy up to 4.2.0. Rated medium severity (CVSS 5.3), this vulnera

CVE-2020-15253 MEDIUM POC
4.8 Oct 14

Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered

CVE-2023-48866 MEDIUM
5.4 Dec 04

A Cross-Site Scripting (XSS) vulnerability in the recipe preparation component within /api/objects/recipes and note comp

CVE-2024-55076 HIGH POC
8.1 Jan 06

Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password. Rated high severit

CVE-2024-55075 MEDIUM POC
4.3 Jan 06

Grocy through 4.3.0 allows remote attackers to obtain sensitive information via direct requests to pages that are not sh

CVE-2024-55074 HIGH POC
8.8 Jan 06

The edit profile function of Grocy through 4.3.0 allows stored XSS and resultant privilege escalation by uploading a cra

Share

CVE-2023-48198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy