Exploits / Vulnerability Discovered : 2020-09-07 |
Type : webapps |
Platform : php
This exploit / vulnerability Grocy 2.7.1 persistent crosssite scripting is for educational purposes only and if it is used you will do on your own risk!
grocy household management solution v2.7.1, allows stored XSS and HTML
Injection, via Create Shopping List module, that is rendered upon
deletiing that Shopping List.
To exploit this vulnerability:
1. Login to the application
2. Go to 'Shooping List' module
3. Click on 'New Shopping List' module
4. Enter the payload: <marquee onstart=alert(document.cookie)> in 'Name'
input field.
5. Click Save
6. Click 'Delete Shopping List'