CVE-2023-48197
Product detail ⌗
Cross-Site Scripting (XSS) vulnerability in the ‘manageApiKeys’ component of Grocy version <= 4.0.3 allows attackers to obtain victim's cookies when the victim clicks on the "see QR code" function.
Prerequisite ⌗
Install Grocy from official Grocy Github repository
GitHub page
Grocy version 4.0.3 released on Sep 2
Installation on Portainer Docker
Installed Grocy version 4.0.3
Exploitation ⌗
1. Go to Manage API keys page
2. Add new API key
3. Insert malicious script in the description
As you can see in the gif below:
When the victim manage API keys and see the QR code that has a malicious script in the description, the cookie can get stolen.