CVE-2020-15253

HIGH

Grocy <= 2.7.1 - XSS

Title source: llm

Description

Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.

Exploits (1)

exploitdb WORKING POC

by Mufaddal Masalawala · textwebappsphp

https://www.exploit-db.com/exploits/48792

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/48792

[Third Party Advisory] https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/grocy/grocy/issues/996

[Patch, Third Party Advisory] https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772

[Patch, Third Party Advisory] https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887

Scores

CVSS v3 7.3

EPSS 0.0062

EPSS Percentile 70.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Details

CWE

CWE-79

Status published

Products (1)

grocy/grocy < 2.7.1

Published Oct 14, 2020

Tracked Since Feb 18, 2026