CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2022-34619
https://notcve.org/view.php?id=CVE-2022-34619
A stored cross-site scripting (XSS) vulnerability in Mealie v0.5.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Shopping Lists item names text field. Una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en Mealie versión v0.5.5, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en el campo de texto de nombre de items Shopping Lists • https://cwe.mitre.org/data/definitions/79.html https://docs.mealie.io/changelog/v0.5.6 https://gainsec.com/2022/08/02/cve-2022-34613-cve-2022-34618-cve-2022-34619-xss-file-upload-and-more https://hub.docker.com/r/hkotel/mealie https://huntr.dev/bounties/aa610613-6ebb-4544-9aa6-046dc28fe4ff • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34625
https://notcve.org/view.php?id=CVE-2022-34625
Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to execute arbitrary code via a crafted Jinja2 template. Se ha detectado que Mealie versión 1.0.0beta3, contiene una vulnerabilidad de inyección de plantillas del lado del servidor, que permite a atacantes ejecutar código arbitrario por medio de una plantilla Jinja2 diseñada • https://cwe.mitre.org/data/definitions/1336.html https://cwe.mitre.org/data/definitions/94.html https://docs.mealie.io/changelog/v0.5.6 https://gainsec.com/2022/08/02/cve-2022-34625-ssti-rce-mealie https://hub.docker.com/r/hkotel/mealie • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34613
https://notcve.org/view.php?id=CVE-2022-34613
Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file. Mealie versión 1.0.0beta3, contiene una vulnerabilidad de carga de archivos arbitraria que permite a atacantes ejecutar código arbitrario por medio de un archivo diseñado • https://cwe.mitre.org/data/definitions/79.html https://docs.mealie.io/changelog/v0.5.6 https://gainsec.com/2022/08/02/cve-2022-34613-cve-2022-34618-cve-2022-34619-xss-file-upload-and-more https://hub.docker.com/r/hkotel/mealie • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2022-34618
https://notcve.org/view.php?id=CVE-2022-34618
A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the recipe description text field. Una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en Mealie versión 1.0.0beta3, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada inyectada en el campo de texto recipe description • https://cwe.mitre.org/data/definitions/79.html https://docs.mealie.io/changelog/v0.5.6 https://gainsec.com/2022/08/02/cve-2022-34613-cve-2022-34618-cve-2022-34619-xss-file-upload-and-more https://hub.docker.com/r/hkotel/mealie https://huntr.dev/bounties/aa610613-6ebb-4544-9aa6-046dc28fe4ff • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •