Login Sign Up

CVE-2023-48199

7.8 HIGH
Cross-Site Scripting

📋 TL;DR

This HTML injection vulnerability in Grocy's API key management component allows attackers to inject arbitrary HTML content into QR code detail popups. While script execution is prevented, attackers can manipulate page appearance to deceive users through social engineering. All Grocy instances running version 4.0.3 or earlier are affected.

💻 Affected Systems

Products:
  • Grocy
Versions: <= 4.0.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the manageApiKeys component when processing user-supplied parameter values.

📦 What is this software?

Grocy by Grocy Project

View all CVEs affecting Grocy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create convincing phishing interfaces within the legitimate application, potentially tricking users into revealing credentials or performing unauthorized actions.

🟠

Likely Case

Attackers inject misleading HTML content to manipulate QR code displays, potentially redirecting users to malicious sites or displaying false information.

🟢

If Mitigated

With proper input sanitization, HTML injection is prevented, maintaining the integrity of QR code displays and preventing content manipulation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the API key management interface and knowledge of the vulnerable parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: > 4.0.3

Vendor Advisory: https://github.com/grocy/grocy

Restart Required: Yes

Instructions:

1. Backup your Grocy instance and database. 2. Update Grocy to version 4.0.4 or later. 3. Restart the Grocy service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Sanitization Filter

all

Implement server-side HTML entity encoding for all user inputs in the manageApiKeys component

Access Restriction

all

Restrict access to the API key management interface to trusted administrators only

🧯 If You Can't Patch

  • Implement web application firewall rules to block HTML injection patterns in API key parameters
  • Disable or restrict the manageApiKeys component if not essential for operations

🔍 How to Verify

Check if Vulnerable:

Check Grocy version in web interface or via package manager. If version is 4.0.3 or earlier, you are vulnerable.

Check Version:

Check Grocy web interface settings or consult package manager (e.g., 'apt list --installed | grep grocy' on Debian-based systems)

Verify Fix Applied:

After updating, verify version is 4.0.4 or later and test that HTML injection attempts in API key parameters are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTML tags or attributes in API key parameter values
  • Multiple failed injection attempts in manageApiKeys logs

Network Indicators:

  • HTTP requests containing HTML tags in manageApiKeys parameter values

SIEM Query:

source="grocy_logs" AND ("manageApiKeys" AND ("<script" OR "<img" OR "<iframe" OR "onerror="))

📊 Metadata

CVE ID: CVE-2023-48199
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
Published: November 15, 2023
Last Updated: September 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48199, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)