CVE-2022-34613, CVE-2022-34618, CVE-2022-34619 – Multiple XSS (And more) in Mealie

A follow-up to the last post! And don’t worry there’s still more vulnerabilities coming! Per the last post these were a joint effort between my co-worker, Bruno Hernández (GitHub and LinkedIn), and I at nVisium (although after hours of course) to find some more CVEs (and his first CVE) which led me to suggest an open source web application called Mealie which can be found HERE.

CVE-2022-34619 is a Cross-site scripting (XSS) vulnerability.

Unfortunately, it turns out that the mealie version pulled from docker is v0.5.5 found HERE. Lesson learned, don’t trust docker to have the most current version of an application 🙂

This one is a stored XSS in Mealie v0.5.5 which allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Shopping Lists item names text field.

AKA Any authenticated user can create a shopping list then modify it with malicious JavaScript which is executed by all unauthenticated and authenticated users when accessing the site.

CVE-2022-34618 is another Cross-site scripting (XSS) vulnerability.

Fortunately! This does affect the most current mealie version pre reaching out to the dev v1.0.0beta3 found HERE.

This is a stored XSS in Mealie v1.0.0beta3 which allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the recipe description text field.

Specifically, any authenticated user can create a recipe and include malicious JavaScript in its description that any unauthenticated target can access which is executed.

Lastly! CVE-2022-34613 encompasses MULTIPLE vulnerabilities.

I won’t list them ALL here but malicious files such as an EICAR file can be uploaded (1. Lack of Anti-Virus of Uploaded Files), this means that the 2. File Upload is Unrestricted, XSS Files can be uploaded and then shared/executed unauthenticated. Other malicious files can be shared and so forth. If you’re interested in the complete details LMK! Otherwise, I’ve listed some of the “impacts” of the vulnerability below

Upload a html file containing malicious JavaScript as your profile image and then send a target a link to your profile image or wait for a user to navigate to your profile page.

Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. In this case, the more likely impact is phishing or spreading malware.

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment. HTML files containing malicious JavaScript can be uploaded as Recipe Images. These are accessible by unauthenticated targets.

Can write malicious files anywhere on the host.

For example, here is a user’s image set to a malicious XSS payload!

An example of a XSS payload being executed

Check out my co-workers more verbose write up HERE

Check out patch information HERE

Check out the Huntr.dev report by my co-worker HERE

More information about

CVE-2022-34613

CVE-2022-34618

CVE-2022-34619

Leave a Reply