mirror of
https://github.com/CVEProject/cvelist.git
synced 2025-08-04 08:44:25 +00:00
103 lines
3.8 KiB
JSON
103 lines
3.8 KiB
JSON
{
|
|
"CVE_data_meta": {
|
|
"ASSIGNER": "security-advisories@github.com",
|
|
"ID": "CVE-2020-15253",
|
|
"STATE": "PUBLIC",
|
|
"TITLE": "Stored XSS in Grocy"
|
|
},
|
|
"affects": {
|
|
"vendor": {
|
|
"vendor_data": [
|
|
{
|
|
"product": {
|
|
"product_data": [
|
|
{
|
|
"product_name": "grocy",
|
|
"version": {
|
|
"version_data": [
|
|
{
|
|
"version_value": "<= 2.7.1"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
},
|
|
"vendor_name": "grocy"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"data_format": "MITRE",
|
|
"data_type": "CVE",
|
|
"data_version": "4.0",
|
|
"description": {
|
|
"description_data": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept."
|
|
}
|
|
]
|
|
},
|
|
"impact": {
|
|
"cvss": {
|
|
"attackComplexity": "HIGH",
|
|
"attackVector": "NETWORK",
|
|
"availabilityImpact": "NONE",
|
|
"baseScore": 7.3,
|
|
"baseSeverity": "HIGH",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"privilegesRequired": "HIGH",
|
|
"scope": "CHANGED",
|
|
"userInteraction": "REQUIRED",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
|
|
"version": "3.1"
|
|
}
|
|
},
|
|
"problemtype": {
|
|
"problemtype_data": [
|
|
{
|
|
"description": [
|
|
{
|
|
"lang": "eng",
|
|
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"references": {
|
|
"reference_data": [
|
|
{
|
|
"name": "https://www.exploit-db.com/exploits/48792",
|
|
"refsource": "MISC",
|
|
"url": "https://www.exploit-db.com/exploits/48792"
|
|
},
|
|
{
|
|
"name": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7",
|
|
"refsource": "CONFIRM",
|
|
"url": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7"
|
|
},
|
|
{
|
|
"name": "https://github.com/grocy/grocy/issues/996",
|
|
"refsource": "MISC",
|
|
"url": "https://github.com/grocy/grocy/issues/996"
|
|
},
|
|
{
|
|
"name": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772",
|
|
"refsource": "MISC",
|
|
"url": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772"
|
|
},
|
|
{
|
|
"name": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887",
|
|
"refsource": "MISC",
|
|
"url": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887"
|
|
}
|
|
]
|
|
},
|
|
"source": {
|
|
"advisory": "GHSA-7f37-2fjr-v9p7",
|
|
"discovery": "UNKNOWN"
|
|
}
|
|
} |