CVE-2020-15253

Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.

CVSS v3 4.8 MEDIUM
CVSS v2.0 3.5 LOW

4.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772	Patch Third Party Advisory
https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887	Patch Third Party Advisory
https://github.com/grocy/grocy/issues/996	Exploit Issue Tracking Third Party Advisory
https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7	Third Party Advisory
https://www.exploit-db.com/exploits/48792	Exploit Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:grocy:grocy:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-10-14 19:15

Updated : 2022-10-18 20:20

NVD link : CVE-2020-15253

Mitre link : CVE-2020-15253

CVE.ORG link : CVE-2020-15253

JSON object : View

Products Affected

grocy

grocy

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-15253", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.0}]}, "published": "2020-10-14T19:15:13.853", "references": [{"url": "https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/grocy/grocy/issues/996", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.exploit-db.com/exploits/48792", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept."}, {"lang": "es", "value": "Las versiones de Grocy anteriores a 2.7.1 incluy\u00e9ndola, son vulnerables a un ataque de tipo Cross Site Scripting por medio del m\u00f3dulo Create Shopping List, que es procesado al eliminar esa Lista de Compras. El problema tambi\u00e9n fue encontrado en usuarios, bater\u00edas, quehaceres, equipos, ubicaciones, unidades de cantidad, ubicaciones de compras, tareas, categor\u00edas de tareas, grupos de productos, recetas y productos. Es requerida una autenticaci\u00f3n para explotar estos problemas y Grocy no deber\u00eda ser expuesto p\u00fablicamente. La referencia vinculada detalla una prueba de concepto"}], "lastModified": "2022-10-18T20:20:23.657", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:grocy:grocy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A2346AA-2AF0-4B7B-9142-F2F30F79DD26", "versionEndIncluding": "2.7.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}