CVE-2022-23074
Recipes - Stored XSS in Name Parameter
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.
En Recipes, versiones 0.17.0 hasta 1.2.5, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) Almacenado, en el campo "Name" de los componentes Keyword, Food y Unit. Cuando una víctima accede a los endpoints Keyword/Food/Unit, la carga útil de tipo XSS es desencadenada. Un atacante con pocos privilegios tendrá la clave API de la víctima y puede conllevar a una toma de control de la cuenta del administrador
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-01-10 CVE Reserved
- 2022-06-21 CVE Published
- 2024-01-12 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.mend.io/vulnerability-database/CVE-2022-23074 | 2024-09-16 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6 | 2023-11-07 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Tandoor Search vendor "Tandoor" | Recipes Search vendor "Tandoor" for product "Recipes" | >= 0.17.0 <= 1.2.5 Search vendor "Tandoor" for product "Recipes" and version " >= 0.17.0 <= 1.2.5" | - |
Affected
| ||||||