CVE-2023-48197 is a Cross-Site Scripting (XSS) vulnerability identified in the 'manageApiKeys' component of Grocy versions 4.0.3 and earlier. Grocy is an open-source web-based self-hosted groceries and household management solution. The vulnerability arises when an attacker can inject malicious scripts into the 'see QR code' function, which is used to display QR codes related to API keys. When a victim user clicks on this function, the injected script executes in the victim's browser context, allowing the attacker to steal sensitive information such as session cookies. This can lead to session hijacking or unauthorized actions performed on behalf of the victim. The vulnerability requires the victim to interact by clicking the 'see QR code' function, and the attacker must have at least limited privileges (PR:L) to exploit it. The CVSS v3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based with low attack complexity but requires user interaction and privileges. The vulnerability impacts confidentiality and integrity but does not affect availability. No known exploits in the wild have been reported yet, and no official patches are linked at this time. The underlying weakness corresponds to CWE-79, which is improper neutralization of input leading to XSS.

For European organizations using Grocy for inventory or household management, this vulnerability could lead to unauthorized access to user sessions and potentially sensitive API keys if attackers successfully exploit the XSS flaw. This could result in data leakage, unauthorized API usage, or further compromise of internal systems if API keys grant elevated access. Since Grocy is often self-hosted, organizations with less mature security practices or without regular patching cycles are at higher risk. The requirement for user interaction and some privilege level reduces the risk somewhat but does not eliminate it, especially in environments where multiple users have access to the Grocy interface. Confidentiality and integrity of user sessions and API keys are at risk, which could cascade into broader security incidents if attackers leverage stolen credentials or session tokens. The medium severity score indicates a moderate threat level but should not be ignored, especially in sectors handling sensitive or regulated data.

European organizations should immediately review their Grocy installations and restrict access to the 'manageApiKeys' component to trusted users only. Implement strict input validation and output encoding on the 'see QR code' function to prevent script injection. Until an official patch is released, consider disabling the QR code display feature or restricting its use. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser. Regularly monitor logs for suspicious activity related to API key management and user sessions. Educate users about the risks of clicking on unexpected or suspicious interface elements. Additionally, enforce least privilege principles to minimize the number of users with access to API key management. Finally, keep abreast of updates from Grocy developers for official patches and apply them promptly once available.