Vulnerabilities > Grocy Project > Grocy > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-04 | CVE-2023-48866 | Cross-site Scripting vulnerability in Grocy Project Grocy A Cross-Site Scripting (XSS) vulnerability in the recipe preparation component within /api/objects/recipes and note component within /api/objects/shopping_lists/ of Grocy <= 4.0.3 allows attackers to obtain the victim's cookies. | 5.4 |
| 2023-11-15 | CVE-2023-48197 | Cross-site Scripting vulnerability in Grocy Project Grocy 4.0.3 Cross-Site Scripting (XSS) vulnerability in the ‘manageApiKeys’ component of Grocy 4.0.3 and earlier allows attackers to obtain victim's cookies when the victim clicks on the "see QR code" function. | 5.4 |
| 2023-11-15 | CVE-2023-48198 | Cross-site Scripting vulnerability in Grocy Project Grocy 4.0.3 A Cross-Site Scripting (XSS) vulnerability in the 'product description' component within '/api/stock/products' of Grocy version <= 4.0.3 allows attackers to obtain a victim's cookies. | 5.4 |
| 2023-11-15 | CVE-2023-48200 | Cross-site Scripting vulnerability in Grocy Project Grocy 4.0.3 Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the equipment description component within /equipment/ component. | 5.4 |
| 2020-11-18 | CVE-2020-25454 | Cross-site Scripting vulnerability in Grocy Project Grocy 2.7.1 Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe. | 5.4 |