Описание
Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.
Ссылки
- PatchThird Party Advisory
- PatchThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- Third Party Advisory
- ExploitThird Party AdvisoryVDB Entry
- PatchThird Party Advisory
- PatchThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
- Third Party Advisory
- ExploitThird Party AdvisoryVDB Entry
Уязвимые конфигурации
Конфигурация 1Версия до 2.7.1 (включая)
cpe:2.3:a:grocy:grocy:*:*:*:*:*:*:*:*
EPSS
Процентиль: 70%
0.00621
Низкий
7.3 High
CVSS3
4.8 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 5.4
fstec
около 6 лет назад
Уязвимость веб-интерфейса системы сетевого управления центром обработки данных Cisco Data Center Network Manager, позволяющая нарушителю осуществлять межсайтовые сценарные атаки
EPSS
Процентиль: 70%
0.00621
Низкий
7.3 High
CVSS3
4.8 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79