admin/cve
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2025-05-29 09:41:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
cve/2020/CVE-2020-15253.md

18 lines
1.0 KiB
Markdown
Raw Normal View History

Update Sat May 25 21:48:12 CEST 2024
2024-05-25 21:48:12 +02:00
### [CVE-2020-15253](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15253)
![](https://img.shields.io/static/v1?label=Product&message=grocy&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=%7B%22CWE-79%22%3A%22Improper%20Neutralization%20of%20Input%20During%20Web%20Page%20Generation%20('Cross-site%20Scripting')%22%7D&color=brighgreen)
### Description
Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.
### POC
#### Reference
- https://www.exploit-db.com/exploits/48792
#### Github
- https://github.com/Live-Hack-CVE/CVE-2020-15253
Reference in New Issue Copy Permalink