[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Grocy Household Management Solution 2.7.1 Cross Site Scripting Vulnerability

Author
Simran Sankhala
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-35264
Category
web applications
Date add
17-11-2020
Platform
php
# Exploit Author: Simran Sankhala
# Vendor Homepage: https://berrnd.de/
# Software Link: https://github.com/grocy/grocy
# Version: 2.7.1
# Tested on: Kali Linux 2020.3
# CVE ID Alloted : CVE-2020-25454
# Proof Of Concept:

grocy household management solution v2.7.1, allows stored XSS , via Add recipe module, that is rendered upon deleting that Recipe .

To exploit this vulnerability:

1. Login to the application
2. Go to Recipe t' module
3. Click on 'add New recipe ' module
4. Enter the payload: <script>alert("xss")  in 'Name' and to the description section in the input field.
5. Click Save
6. Click 'Delete Recipe' , the payload gets executed.

#  0day.today [2024-11-16]  #