CVE-2022-23072

Name of the Vulnerable Software and Affected Versions Recipes versions 1.0.5 through 1.2.5

Description The issue concerns Stored Cross-Site Scripting (XSS) in the "Add to Cart" functionality. When a victim accesses the food list page, adds a new Food with a malicious javascript payload in the Name parameter, and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. This could allow a low-privileged attacker to obtain the victim's API key, potentially leading to admin's account takeover.

Recommendations For versions 1.0.5 through 1.2.5, as a temporary workaround, consider disabling the "Add to Cart" functionality or restricting the use of the Name parameter in the affected API endpoint until a patch is available. Avoid using the Name parameter in the "Add to Cart" functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.