← Voltar para CVEs

CVE-2023-48199

HIGH

7.8

Descricao

HTML Injection vulnerability in the 'manageApiKeys' component in Grocy <= 4.0.3 allows attackers to inject arbitrary HTML content without script execution. This occurs when user-supplied data is not appropriately sanitized, enabling the injection of HTML tags through parameter values. The attacker can then manipulate page content in the QR code detail popup, often coupled with social engineering tactics, exploiting both the trust of users and the application's lack of proper input handling.

Detalhes CVE

Pontuacao CVSS v3.17.8

SeveridadeHIGH

Vetor CVSSCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueLOCAL

ComplexidadeLOW

Privilegios necessariosLOW

Interacao do usuarioNONE

Publicado11/15/2023

Ultima modificacao9/29/2025

Fontenvd

Avistamentos honeypot0

Produtos afetados

grocy_project:grocy

Fraquezas (CWE)

CWE-74

Referencias

https://github.com/grocy/grocy(cve@mitre.org)

https://grocy.info(cve@mitre.org)

https://nitipoom-jar.github.io/CVE-2023-48199/(cve@mitre.org)

https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2023-48199(cve@mitre.org)

https://github.com/grocy/grocy(af854a3a-2127-422b-91ae-364da2661108)

https://grocy.info(af854a3a-2127-422b-91ae-364da2661108)

https://nitipoom-jar.github.io/CVE-2023-48199/(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.