Product detail

Affected product: Grocy
Affected version: 4.0.3
Affected component: manageApiKeys

Cross-Site Scripting (XSS) vulnerability in the ‘manageApiKeys’ component of Grocy version <= 4.0.3 allows attackers to obtain victim's cookies when the victim clicks on the "see QR code" function.


Prerequisite

Install Grocy from official Grocy Github repository GitHub page

  • In this case I use Docker (Portainer) to install it.
  • Grocy version 4.0.3 released on Sep 2


    Installation on Portainer Docker


    Installed Grocy version 4.0.3



    Exploitation

    1. Go to Manage API keys page
    2. Add new API key
    3. Insert malicious script in the description

    <script>alert(document.cookie)</script>

    As you can see in the gif below:




    When the victim manage API keys and see the QR code that has a malicious script in the description, the cookie can get stolen.