CVE-2020-15253

Name of the Vulnerable Software and Affected Versions Grocy versions <= 2.7.1

Description The issue is related to Cross-Site Scripting that can be exploited via the Create Shopping List module when it is deleted. This problem is also present in other modules, including users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes, and products. To exploit this issue, authentication is required, and it is recommended that Grocy not be publicly exposed.

Recommendations For Grocy versions <= 2.7.1, update to a version higher than 2.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the Create Shopping List module and other affected modules until a patch is available. Additionally, ensure that Grocy is not publicly exposed to minimize the risk of exploitation.