CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23213 – Tandoor Recipes - Stored XSS through Unrestricted File Upload
https://notcve.org/view.php?id=CVE-2025-23213
28 Jan 2025 — Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28. • https://github.com/TandoorRecipes/recipes/commit/3e37d11c6a3841a00eb27670d1d003f1a713e1cf • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23212 – Tandoor Recipes - Local file disclosure - Users can read the content of any file on the server
https://notcve.org/view.php?id=CVE-2025-23212
28 Jan 2025 — Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The external storage feature allows any user to enumerate the name and content of files on the server. This vulnerability is fixed in 1.5.28. • https://github.com/TandoorRecipes/recipes/commit/36e83a9d0108ac56b9538b45ead57efc8b97c5ff • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23211 – Tandoor Recipes - SSTI - Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-23211
28 Jan 2025 — Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24. • https://github.com/TandoorRecipes/recipes/blob/4f9bff20c858180d0f7376de443a9fe4c123a50c/cookbook/helper/template_helper.py#L95 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0403 – Recipes 1.5.10 - Blind SSRF
https://notcve.org/view.php?id=CVE-2024-0403
29 Feb 2024 — Recipes version 1.5.10 allows arbitrary HTTP requests to be made through the server. This is possible because the application is vulnerable to SSRF. La versión 1.5.10 de Recipes permite realizar solicitudes HTTP arbitrarias a través del servidor. Esto es posible porque la aplicación es vulnerable a SSRF. • https://fluidattacks.com/advisories/harris • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23074 – Recipes - Stored XSS in Name Parameter
https://notcve.org/view.php?id=CVE-2022-23074
21 Jun 2022 — In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover. En Recipes, versiones 0.17.0 hasta 1.2.5, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) Almacenado, en el campo "Name" de los componentes Keyword, Food y Uni... • https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23073 – Recipes - Stored XSS in Clipboard
https://notcve.org/view.php?id=CVE-2022-23073
21 Jun 2022 — In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover. En Recipes, versiones 1.0.5 hasta 1.2.5, son vulnerables a un ataque de tipo Cross-Site Scriptin... • https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23072 – Recipes - Stored XSS in Add to Cart
https://notcve.org/view.php?id=CVE-2022-23072
21 Jun 2022 — In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover. En Recipes, versiones 1.0.5 hasta 1.2.5, son vulnerables a un ataque de tipo Cross-Site S... • https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23071 – Recipes - SSRF on Import
https://notcve.org/view.php?id=CVE-2022-23071
19 Jun 2022 — In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information. En Recipes, versiones 0.9.1 hasta 1.2.5, son vulnerables a un ataque de tipo Server Side Request Forgery (SSRF), en la funcionalidad “Import Recipe”. Cuando un atacante entra en la URL de localhost, un atacante con pocos privilegios pue... • https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c • CWE-918: Server-Side Request Forgery (SSRF) •