CVE-2023-48199

Name of the Vulnerable Software and Affected Versions Grocy versions prior to 4.0.4

Description The issue allows attackers to inject arbitrary HTML content without script execution, occurring when user-supplied data is not properly sanitized. This enables the injection of HTML tags through parameter values, allowing manipulation of page content in the QR code detail popup. The attack often involves social engineering tactics, exploiting user trust and the application's lack of proper input handling.

Recommendations For Grocy versions prior to 4.0.4, update to version 4.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'manageApiKeys' component to minimize the risk of exploitation. Avoid using user-supplied data in the QR code function until the issue is resolved.