A follow-up to the last post! And don’t worry there’s still more vulnerabilities coming! Per the last post these were a joint effort between my co-worker, Bruno Hernández (GitHub and LinkedIn), and I at nVisium (although after hours of course) to find some more CVEs (and his first CVE) which led me to suggest an open source web application called Mealie which can be found HERE.
CVE-2022-34619 is a Cross-site scripting (XSS) vulnerability.
Unfortunately, it turns out that the mealie version pulled from docker is v0.5.5 found HERE. Lesson learned, don’t trust docker to have the most current version of an application 🙂
This one is a stored XSS in Mealie v0.5.5 which allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Shopping Lists item names text field.
CVE-2022-34618 is another Cross-site scripting (XSS) vulnerability.
Fortunately! This does affect the most current mealie version pre reaching out to the dev v1.0.0beta3 found HERE.
This is a stored XSS in Mealie v1.0.0beta3 which allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the recipe description text field.
Lastly! CVE-2022-34613 encompasses MULTIPLE vulnerabilities.
I won’t list them ALL here but malicious files such as an EICAR file can be uploaded (1. Lack of Anti-Virus of Uploaded Files), this means that the 2. File Upload is Unrestricted, XSS Files can be uploaded and then shared/executed unauthenticated. Other malicious files can be shared and so forth. If you’re interested in the complete details LMK! Otherwise, I’ve listed some of the “impacts” of the vulnerability below
Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the recipient. In this case, the more likely impact is phishing or spreading malware.
Can write malicious files anywhere on the host.
For example, here is a user’s image set to a malicious XSS payload!
Check out my co-workers more verbose write up HERE
Check out patch information HERE
Check out the Huntr.dev report by my co-worker HERE
More information about