Vabene1111

**Name of the Vulnerable Software and Affected Versions** Tandoor Recipes versions prior to 2.6.0 **Description** Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the `SyncViewSet.query synced folder()` action in `cookbook/views/api.py` (line 903) fetches a Sync object using `get object or 404(Sync, pk=pk)` without including `space=request.space` in the filter. This allows an admin user in Space A to trigger sync operations (Dropbox/Nextcloud/Local import) on Sync configurations belonging to Space B, and view the resulting sync logs. The API endpoint involved is `SyncViewSet.query synced folder()`. The vulnerable parameter is `pk`. **Recommendations** Update to version 2.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** Recipes version 1.5.10 **Description** The application is vulnerable to Server-Side Request Forgery (SSRF), allowing arbitrary HTTP requests to be made through the server. **Recommendations** For Recipes version 1.5.10, as a temporary workaround, consider restricting access to the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Recipes versions 1.0.5 through 1.2.5 **Description** The issue concerns Stored Cross-Site Scripting (XSS) in the "Add to Cart" functionality. When a victim accesses the food list page, adds a new Food with a malicious javascript payload in the `Name` parameter, and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. This could allow a low-privileged attacker to obtain the victim's API key, potentially leading to admin's account takeover. **Recommendations** For versions 1.0.5 through 1.2.5, as a temporary workaround, consider disabling the "Add to Cart" functionality or restricting the use of the `Name` parameter in the affected API endpoint until a patch is available. Avoid using the `Name` parameter in the "Add to Cart" functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Recipes versions 1.0.5 through 1.2.5 **Description** The issue concerns Stored Cross-Site Scripting (XSS) in the copy to clipboard functionality. When a victim accesses the food list page, adds a new Food with a malicious javascript payload in the `Name` parameter, and clicks on the clipboard icon, an XSS payload will trigger. This can allow a low-privileged attacker to obtain the victim's API key, potentially leading to admin's account takeover. **Recommendations** For versions 1.0.5 through 1.2.5, as a temporary workaround, consider disabling the copy to clipboard functionality until a patch is available. Restrict access to the food list page and the ability to add new Food items to minimize the risk of exploitation. Avoid using the `Name` parameter in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Recipes versions 0.17.0 through 1.2.5 **Description** The issue concerns Stored Cross-Site Scripting (XSS) in the 'Name' field of Keyword, Food, and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, such as "/Keyword" or "/Food" or "/Unit", the XSS payload will trigger. A low-privileged attacker can obtain the victim's API key, potentially leading to admin's account takeover. **Recommendations** For versions 0.17.0 through 1.2.5, consider disabling the 'Name' field in the Keyword, Food, and Unit components until a patch is available. Restrict access to the Keyword/Food/Unit endpoints to minimize the risk of exploitation. Avoid using the `Name` field in these components until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.