CVE-2023-48200
Product detail ⌗
A Cross-Site Scripting (XSS) vulnerability in the ’equipment description’ component within ’/equipment’ of Grocy version <= 4.0.3 allows attackers to obtain victim’s cookies.
Prerequisite ⌗
Install Grocy from official Grocy Github repository
GitHub page
![](https://nitipoom-jar.github.io/CVE-2023-48200/1.png)
Grocy version 4.0.3 released on Sep 2
![](https://nitipoom-jar.github.io/CVE-2023-48200/1.gif)
Installation on Portainer Docker
![](https://nitipoom-jar.github.io/CVE-2023-48200/2.gif)
![](https://nitipoom-jar.github.io/CVE-2023-48200/2.png)
Installed Grocy version 4.0.3
Exploitation ⌗
1. Go to equipment page
2. Add new equipment
3. Insert malicious script in the description
As you can see in the gif below:
![](https://nitipoom-jar.github.io/CVE-2023-48200/3.gif)
When the victim visit this page, the cookie can get stolen.
![](https://nitipoom-jar.github.io/CVE-2023-48200/4.gif)
![](https://nitipoom-jar.github.io/CVE-2023-48200/5.png)