CVE-2020-15253 Information

Feb 14, 2021 cve

Description

Versions of Grocy = 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module that is rendered upon deleting that Shopping List. The issue was also found in users batteries chores equipment locations quantity units shopping locations tasks taskcategories product groups recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772 https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887 https://github.com/grocy/grocy/issues/996 https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

4.8

Share on: