CVE-2023-48866

Name of the Vulnerable Software and Affected Versions Grocy versions <= 4.0.3

Description A Cross-Site Scripting (XSS) issue exists in the recipe preparation component within "/api/objects/recipes" and note component within "/api/objects/shopping lists/" of Grocy, allowing attackers to obtain the victim's cookies.

Recommendations For Grocy versions <= 4.0.3, update to a version greater than 4.0.3 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/objects/recipes" and "/api/objects/shopping lists/" API endpoints until a patch is available.