Home > Vulnerability Database > CVE-2020-15253

Mend.io Vulnerability Database

CVE-2020-15253

Date: October 14, 2020

Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.

Language: JS

Severity Score

7.3

Related Resources (7)

Url: https://github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772

Url: https://github.com/grocy/grocy/issues/996

Url: https://github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887

Url: https://github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7

Url: https://www.exploit-db.com/exploits/48792

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-15253

Url: https://www.mend.io/vulnerability-database/CVE-2020-15253

Severity Score

7.3

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	3.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	SINGLE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-15253

Date: October 14, 2020

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?