PT-2025-13392 · Unknown · Hay-Kot Mealie

Published

2025-03-27

Updated

2025-03-29

CVE-2024-55072

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions hay-kot mealie version 2.2.0

Description A Broken Object Level Authorization issue exists in the "/api/users/{user-id}" component, allowing users to modify their own profiles and potentially grant themselves additional permissions or change their household settings.

Recommendations For hay-kot mealie version 2.2.0, consider restricting access to the "/api/users/{user-id}" endpoint until a patch is available, and limit the ability of users to edit their profiles to prevent unauthorized permission changes.

Exploit

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-267CWE-862

Related Identifiers

CVE-2024-55072

Affected Products

Hay-Kot Mealie

PT-2025-13392 · Unknown · Hay-Kot Mealie

CVE-2024-55072

Weakness Enumeration

Related Identifiers

Affected Products

References · 7