Product detail

Affected product: Grocy
Affected version: 4.0.3
Affected component: api/stock/products

A Cross-Site Scripting (XSS) vulnerability in the 'product description' component within '/api/stock/products' of Grocy version <= 4.0.3 allows attackers to obtain a victim's cookies.

Prerequisite

Install Grocy from official Grocy Github repository GitHub page

  • In this case I use Docker (Portainer) to install it.

    • Grocy version 4.0.3 released on Sep 2


    Installation on Portainer Docker


    Installed Grocy version 4.0.3


    Exploitation

    1. Go to Manage master data
    2. Select products
    3. Add new product
    4. Insert malicious script in the description

    <script>alert(document.cookie)</script>

    As you can see in the gif below:



    When the victim visit this page and click on the malicious product description, the cookie can get stolen.