CVE-2022-23073

Name of the Vulnerable Software and Affected Versions Recipes versions 1.0.5 through 1.2.5

Description The issue concerns Stored Cross-Site Scripting (XSS) in the copy to clipboard functionality. When a victim accesses the food list page, adds a new Food with a malicious javascript payload in the Name parameter, and clicks on the clipboard icon, an XSS payload will trigger. This can allow a low-privileged attacker to obtain the victim's API key, potentially leading to admin's account takeover.

Recommendations For versions 1.0.5 through 1.2.5, as a temporary workaround, consider disabling the copy to clipboard functionality until a patch is available. Restrict access to the food list page and the ability to add new Food items to minimize the risk of exploitation. Avoid using the Name parameter in the affected functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.