High severity7.3NVD Advisory· Published Oct 14, 2020· Updated Jun 17, 2026
CVE-2020-15253
CVE-2020-15253
Description
Versions of Grocy <= 2.7.1 are vulnerable to Cross-Site Scripting via the Create Shopping List module, that is rendered upon deleting that Shopping List. The issue was also found in users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes and products. Authentication is required to exploit these issues and Grocy should not be publicly exposed. The linked reference details a proof-of-concept.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=2.7.1+ 1 more
- (no CPE)range: <=2.7.1
- (no CPE)range: <= 2.7.1
Patches
Vulnerability mechanics
References
5- github.com/grocy/grocy/commit/0624b0df594a4353ef25e6b1874565ea52ce7772nvdPatchThird Party Advisory
- github.com/grocy/grocy/commit/0df2590de27c60c18b7db6e056347bd2aff5a887nvdPatchThird Party Advisory
- github.com/grocy/grocy/issues/996nvdExploitIssue TrackingThird Party Advisory
- www.exploit-db.com/exploits/48792nvdExploitThird Party AdvisoryVDB Entry
- github.com/grocy/grocy/security/advisories/GHSA-7f37-2fjr-v9p7nvdThird Party Advisory
News mentions
0No linked articles in our index yet.