CVE-2023-48199

Published: Nov 15, 2023Modified: Jun 17, 2026

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

HTML Injection vulnerability in the 'manageApiKeys' component in Grocy <= 4.0.3 allows attackers to inject arbitrary HTML content without script execution. This occurs when user-supplied data is not appropriately sanitized, enabling the injection of HTML tags through parameter values. The attacker can then manipulate page content in the QR code detail popup, often coupled with social engineering tactics, exploiting both the trust of users and the application's lack of proper input handling.

Affected (1)

Products: Grocy Project: Grocy

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Grocy Project Grocy	Version 4.0.3

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (7)

https://github.com/grocy/grocy

Source: cve@mitre.org

Product

https://grocy.info

Source: cve@mitre.org

Product

https://nitipoom-jar.github.io/CVE-2023-48199/

Source: cve@mitre.org

ExploitThird Party Advisory

https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2023-48199

Source: cve@mitre.org

https://github.com/grocy/grocy

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://grocy.info

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://nitipoom-jar.github.io/CVE-2023-48199/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.