CVE-2020-15253 — HIGH (7.3)

Q: How severe is CVE-2020-15253?

CVE-2020-15253 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-15253?

Check the references section above for vendor advisories and patch information. Affected products include: Grocy Grocy.

Vulnerability Description

Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.

CVSS Score

7.3

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Grocy	Grocy	<= 2.7.1

Related Weaknesses (CWE)

CWE-79

References

https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772PatchThird Party Advisory
https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887PatchThird Party Advisory
https://github.com/grocy/grocy/issues/996ExploitIssue TrackingThird Party Advisory
https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7Third Party Advisory
https://www.exploit-db.com/exploits/48792ExploitThird Party AdvisoryVDB Entry
https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772PatchThird Party Advisory
https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887PatchThird Party Advisory
https://github.com/grocy/grocy/issues/996ExploitIssue TrackingThird Party Advisory
https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7Third Party Advisory
https://www.exploit-db.com/exploits/48792ExploitThird Party AdvisoryVDB Entry

FAQ

What is CVE-2020-15253?

CVE-2020-15253 is a vulnerability with a CVSS score of 7.3 (HIGH). Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, ...

How severe is CVE-2020-15253?

CVE-2020-15253 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-15253?

Check the references section above for vendor advisories and patch information. Affected products include: Grocy Grocy.