CVE-2023-48197

Опубликовано: 15 нояб. 2023

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

Cross-Site Scripting (XSS) vulnerability in the ‘manageApiKeys’ component of Grocy 4.0.3 and earlier allows attackers to obtain victim's cookies when the victim clicks on the "see QR code" function.

Ссылки

https://github.com/grocy/grocy
Product
https://nitipoom-jar.github.io/CVE-2023-48197/
Exploit
Third Party Advisory
https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2023-48197
https://github.com/grocy/grocy
Product
https://nitipoom-jar.github.io/CVE-2023-48197/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:grocy_project:grocy:4.0.3:*:*:*:*:*:*:*

EPSS

Процентиль: 63%

0.00452

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

CVE-2023-48197

CVSS3: 5.4

debian

около 2 лет назад

Cross-Site Scripting (XSS) vulnerability in the \u2018manageApiKeys\u2 ...

GHSA-ph4x-8w6x-4q6x

CVSS3: 5.4

github

около 2 лет назад

Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the QR code function in the manageapikeys component.

EPSS

Процентиль: 63%

0.00452

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79