CVE-2023-48198

Name of the Vulnerable Software and Affected Versions Grocy versions <= 4.0.3

Description A Cross-Site Scripting (XSS) issue exists in the 'product description' component within the "/api/stock/products" endpoint, allowing attackers to obtain a victim's cookies. This issue can be exploited by a local attacker to execute arbitrary code and obtain sensitive information.

Recommendations For Grocy versions <= 4.0.3, update to a version greater than 4.0.3 to resolve the issue. As a temporary workaround, consider restricting access to the "/api/stock/products" endpoint until a patch is available. Avoid using the 'product description' component in the affected API endpoint until the issue is resolved.