CVE-2020-15253

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15253
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15253.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-15253
Related
  • GHSA-7f37-2fjr-v9p7
Published
2020-10-14T19:15:13Z
Modified
2025-01-08T10:28:04.110999Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.

References

Affected packages

Git / github.com/grocy/grocy

Affected ranges

Type
GIT
Repo
https://github.com/grocy/grocy
Events

Affected versions

v0.*

v0.1.0
v0.2.0
v0.3.0
v0.4.0

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.10.0
v1.11.0
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.18.1
v1.19.0
v1.19.1
v1.19.2
v1.2.0
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.23.1
v1.24.0
v1.24.1
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.6.1
v1.7.0
v1.8.0
v1.8.1
v1.8.2
v1.9.0
v1.9.1
v1.9.2

v2.*

v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.7.0
v2.7.1