Headline
CVE-2022-34618: Stored Cross-Site Scripting vulnerability in Recipe Instructions allows Admin session hijacking in mealie
A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the recipe description text field.
Description
A low privilege user can insert malicious JavaScript code into the Recipe Instructions which will execute in another person’s browser that visits the recipe.
Proof of Concept
<img src=x onerror=alert(document.domain)>
Reproduction Steps:
- As a lower privileged user login to the Mealie web application.
- Create a recipe and using the inline markdown editor add the Proof of Concept code to the Instructions.
- An alert box will appear indicating the presence of XSS.
Impact
A lower privilege user can submit malicious JavaScript into the Recipe Instructions which will execute in the context of another person’s browser when they navigate to the vulnerable page. Since this is a Stored XSS vulnerability, no user interaction is required besides browsing to the vulnerable page. An attacker can use this XSS vulnerability to do anything that JavaScript can do, including but not limited to, making arbitrary HTTP requests in the victim’s browser, hook a victim’s browser, and hijack an admin session.