CVE-2023-48197: 
NixOS vulnerability analysis and mitigation

Cross-Site Scripting (XSS) vulnerability exists in the 'manageApiKeys' component of Grocy version 4.0.3 and earlier. The vulnerability was discovered in November 2023 and affects the Grocy web-based self-hosted groceries & household management solution (NVD, Grocy Github).

The vulnerability exists in the 'manageApiKeys' component where user input in the API key description field is not properly sanitized. When a victim clicks on the 'see QR code' function, malicious scripts inserted in the description field can be executed in the victim's browser context. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, the vulnerability allows attackers to obtain victim's cookies when the victim clicks on the 'see QR code' function. This could potentially lead to session hijacking and unauthorized access to the victim's account (Exploit Details).

Users should upgrade to a version newer than 4.0.3. If upgrading is not immediately possible, users should exercise caution when viewing QR codes in the API key management interface and avoid creating or viewing API keys from untrusted sources (NVD).