Search criteria
2 vulnerabilities found for grocy by grocy
CVE-2020-15253 (GCVE-0-2020-15253)
Vulnerability from nvd – Published: 2020-10-14 18:15 – Updated: 2024-08-04 13:08
VLAI
Title
Stored XSS in Grocy
Summary
Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.
Severity
7.3 (High)
CWE
- CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/48792 | x_refsource_MISC |
| https://github.com/grocy/grocy/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/grocy/grocy/issues/996 | x_refsource_MISC |
| https://github.com/grocy/grocy/commit/0624b0df594… | x_refsource_MISC |
| https://github.com/grocy/grocy/commit/0df2590de27… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.823Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/48792"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grocy/grocy/issues/996"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grocy",
"vendor": "grocy",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of Grocy \u003c= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-16T00:46:56.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/48792"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grocy/grocy/issues/996"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887"
}
],
"source": {
"advisory": "GHSA-7f37-2fjr-v9p7",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Grocy",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15253",
"STATE": "PUBLIC",
"TITLE": "Stored XSS in Grocy"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grocy",
"version": {
"version_data": [
{
"version_value": "\u003c= 2.7.1"
}
]
}
}
]
},
"vendor_name": "grocy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of Grocy \u003c= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.exploit-db.com/exploits/48792",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/48792"
},
{
"name": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7",
"refsource": "CONFIRM",
"url": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7"
},
{
"name": "https://github.com/grocy/grocy/issues/996",
"refsource": "MISC",
"url": "https://github.com/grocy/grocy/issues/996"
},
{
"name": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772",
"refsource": "MISC",
"url": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772"
},
{
"name": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887",
"refsource": "MISC",
"url": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887"
}
]
},
"source": {
"advisory": "GHSA-7f37-2fjr-v9p7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15253",
"datePublished": "2020-10-14T18:15:21.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:22.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15253 (GCVE-0-2020-15253)
Vulnerability from cvelistv5 – Published: 2020-10-14 18:15 – Updated: 2024-08-04 13:08
VLAI
Title
Stored XSS in Grocy
Summary
Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.
Severity
7.3 (High)
CWE
- CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/48792 | x_refsource_MISC |
| https://github.com/grocy/grocy/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/grocy/grocy/issues/996 | x_refsource_MISC |
| https://github.com/grocy/grocy/commit/0624b0df594… | x_refsource_MISC |
| https://github.com/grocy/grocy/commit/0df2590de27… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.823Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/48792"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grocy/grocy/issues/996"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "grocy",
"vendor": "grocy",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Versions of Grocy \u003c= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-16T00:46:56.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/48792"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grocy/grocy/issues/996"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887"
}
],
"source": {
"advisory": "GHSA-7f37-2fjr-v9p7",
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Grocy",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15253",
"STATE": "PUBLIC",
"TITLE": "Stored XSS in Grocy"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "grocy",
"version": {
"version_data": [
{
"version_value": "\u003c= 2.7.1"
}
]
}
}
]
},
"vendor_name": "grocy"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Versions of Grocy \u003c= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.exploit-db.com/exploits/48792",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/48792"
},
{
"name": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7",
"refsource": "CONFIRM",
"url": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7"
},
{
"name": "https://github.com/grocy/grocy/issues/996",
"refsource": "MISC",
"url": "https://github.com/grocy/grocy/issues/996"
},
{
"name": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772",
"refsource": "MISC",
"url": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772"
},
{
"name": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887",
"refsource": "MISC",
"url": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887"
}
]
},
"source": {
"advisory": "GHSA-7f37-2fjr-v9p7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15253",
"datePublished": "2020-10-14T18:15:21.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:22.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}