CVE-2022-23074 - Vulnerability Details - OpenCVE

Description

In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.

Published: 2022-06-21

Score: 3.5 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

recipes

recipes

affected

Version	Status	Constraints
`0.17.0`	affected	< unspecified
`unspecified`	affected	≤ 1.2.5

Configuration 1 [-]

cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update version to 1.2.6 or later

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-28181	In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00238.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6
https://www.mend.io/vulnerability-database/CVE-2022-23074

History

No history.

Subscriptions

Tandoor Recipes

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2022-06-21T09:20:10.647Z

Updated: 2024-09-16T18:55:57.596Z

Reserved: 2022-01-10T00:00:00.000Z

Link: CVE-2022-23074

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-06-21T10:15:08.343

Modified: 2024-11-21T06:47:55.863

Link: CVE-2022-23074

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "recipes", "vendor": "recipes", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0.17.0", "versionType": "custom"}, {"lessThanOrEqual": "1.2.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Mend Vulnerability Research Team (MVR)"}], "datePublic": "2022-01-11T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the \u2018Name\u2019 field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover."}], "metrics": [{"other": {"content": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": 3.1}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-21T09:20:10.000Z", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-23074"}], "solutions": [{"lang": "en", "value": "Update version to 1.2.6 or later"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "Recipes - Stored XSS in Name Parameter", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", "ID": "CVE-2022-23074", "STATE": "PUBLIC", "TITLE": "Recipes - Stored XSS in Name Parameter"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "recipes", "version": {"version_data": [{"version_affected": ">=", "version_value": "0.17.0"}, {"version_affected": "<=", "version_value": "1.2.5"}]}}]}, "vendor_name": "recipes"}]}}, "credit": [{"lang": "eng", "value": "Mend Vulnerability Research Team (MVR)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the \u2018Name\u2019 field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": 3.1}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6", "refsource": "MISC", "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6"}, {"name": "https://www.mend.io/vulnerability-database/CVE-2022-23074", "refsource": "MISC", "url": "https://www.mend.io/vulnerability-database/CVE-2022-23074"}]}, "solution": [{"lang": "en", "value": "Update version to 1.2.6 or later"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:28:43.316Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-23074"}]}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2022-23074", "datePublished": "2022-06-21T09:20:10.647Z", "dateReserved": "2022-01-10T00:00:00.000Z", "dateUpdated": "2024-09-16T18:55:57.596Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "matchCriteriaId": "77273517-B816-4DFD-98A3-71E661A7CB57", "versionEndIncluding": "1.2.5", "versionStartIncluding": "0.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the \u2018Name\u2019 field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover."}, {"lang": "es", "value": "En Recipes, versiones 0.17.0 hasta 1.2.5, son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) Almacenado, en el campo \"Name\" de los componentes Keyword, Food y Unit. Cuando una v\u00edctima accede a los endpoints Keyword/Food/Unit, la carga \u00fatil de tipo XSS es desencadenada. Un atacante con pocos privilegios tendr\u00e1 la clave API de la v\u00edctima y puede conllevar a una toma de control de la cuenta del administrador"}], "id": "CVE-2022-23074", "lastModified": "2024-11-21T06:47:55.863", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2022-06-21T10:15:08.343", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-23074"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-23074"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vulnerabilitylab@mend.io", "type": "Secondary"}]}