CVE-2022-23072

Published: Jun 21, 2022Modified: Nov 21, 2024

3.5

Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability: 6.8 / Impact: 2.9

Source: NVD

Description

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.

Affected (1)

Products: Tandoor: Recipes

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Tandoor Recipes	From 1.0.5 to 1.2.5

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6

Source: vulnerabilitylab@mend.io

PatchThird Party Advisory

https://www.mend.io/vulnerability-database/CVE-2022-23072

Source: vulnerabilitylab@mend.io

ExploitPatchThird Party Advisory

https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.mend.io/vulnerability-database/CVE-2022-23072

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.