Product detail

Affected product: Grocy
Affected version: 4.0.3
Affected component: manageApiKeys

A Cross-Site Scripting (XSS) vulnerability in the ’equipment description’ component within ’/equipment’ of Grocy version <= 4.0.3 allows attackers to obtain victim’s cookies.


Install Grocy from official Grocy Github repository GitHub page

  • In this case I use Docker (Portainer) to install it.
  • Grocy version 4.0.3 released on Sep 2

    Installation on Portainer Docker

    Installed Grocy version 4.0.3


    1. Go to equipment page
    2. Add new equipment
    3. Insert malicious script in the description


    As you can see in the gif below:

    When the victim visit this page, the cookie can get stolen.