Product detail

Affected product: Grocy
Affected version: 4.0.3
Affected component: Recipe

Cross-Site Scripting (XSS) vulnerability in the 'shoppinglist' component of Grocy version <= 4.0.3 allows attackers to obtain victim's cookies when the victim clicks on the shoppinglist menu.

Prerequisite

Install Grocy from official Grocy Github repository GitHub page

  • In this case I use Docker (Portainer) to install it.

    • Grocy version 4.0.3 released on Sep 2


    Installation on Portainer Docker


    Installed Grocy version 4.0.3


    Exploitation

    1. Go to Shopping list page
    2. Add notes
    3. Insert malicious script in a note and save

    <script>alert(document.cookie)</script>

    As you can see in the gif below:



    When the victim visits recipes page without clicking on anything, the script is executed which the cookie can get stolen.