CVE-2023-48199

Опубликовано: 15 нояб. 2023

Источник: nvd

CVSS3: 7.8

EPSS Низкий

Описание

HTML Injection vulnerability in the 'manageApiKeys' component in Grocy <= 4.0.3 allows attackers to inject arbitrary HTML content without script execution. This occurs when user-supplied data is not appropriately sanitized, enabling the injection of HTML tags through parameter values. The attacker can then manipulate page content in the QR code detail popup, often coupled with social engineering tactics, exploiting both the trust of users and the application's lack of proper input handling.

Ссылки

https://github.com/grocy/grocy
Product
https://grocy.info
Product
https://nitipoom-jar.github.io/CVE-2023-48199/
Exploit
Third Party Advisory
https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2023-48199
https://github.com/grocy/grocy
Product
https://grocy.info
Product
https://nitipoom-jar.github.io/CVE-2023-48199/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:grocy_project:grocy:4.0.3:*:*:*:*:*:*:*

EPSS

Процентиль: 71%

0.00658

Низкий

7.8 High

CVSS3

Дефекты

CWE-74

Связанные уязвимости

CVE-2023-48199

CVSS3: 7.8

debian

около 2 лет назад

HTML Injection vulnerability in the 'manageApiKeys' component in Grocy ...

GHSA-7m6x-ggxq-c39w

CVSS3: 7.8

github

около 2 лет назад

An issue in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the QR code funciton in the manageapikeys component.

EPSS

Процентиль: 71%

0.00658

Низкий

7.8 High

CVSS3

Дефекты

CWE-74