CVE-2023-48199

Name
CVE-2023-48199
Description
HTML Injection vulnerability in the 'manageApiKeys' component in Grocy <= 4.0.3 allows attackers to inject arbitrary HTML content without script execution. This occurs when user-supplied data is not appropriately sanitized, enabling the injection of HTML tags through parameter values. The attacker can then manipulate page content in the QR code detail popup, often coupled with social engineering tactics, exploiting both the trust of users and the application's lack of proper input handling.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://github.com/grocy/grocy
https://grocy.info
https://nitipoom-jar.github.io/CVE-2023-48199/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:grocy_project:grocy:4.0.3:*:*:*:*:*:*:* grocy == None == 4.0.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
grocy 3.19-community 4.0.3-r2 Will Sinatra <wpsinatra@gmail.com> possibly vulnerable