Filtered by vendor Mealie Project
Subscriptions
Filtered by product Mealie
Subscriptions
Total
5 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-34613 | 1 Mealie Project | 1 Mealie | 2024-08-03 | 9.8 Critical |
| Mealie 1.0.0beta3 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file. | ||||
| CVE-2022-34625 | 1 Mealie Project | 1 Mealie | 2024-08-03 | 7.2 High |
| Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to execute arbitrary code via a crafted Jinja2 template. | ||||
| CVE-2022-34619 | 1 Mealie Project | 1 Mealie | 2024-08-03 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in Mealie v0.5.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Shopping Lists item names text field. | ||||
| CVE-2022-34618 | 1 Mealie Project | 1 Mealie | 2024-08-03 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the recipe description text field. | ||||
| CVE-2024-31991 | 1 Mealie Project | 1 Mealie | 2024-08-02 | 4.1 Medium |
| Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server. Based on the content of the response, it will either parse the content or disregard it. This function, nor those that call it, add any restrictions on the URL that can be provided, nor is it restricted to being an FQDN (i.e., an IP address can be provided). As this function’s return will be handled differently by its caller depending on the response, it is possible for an attacker to use this functionality to positively identify HTTP(s) servers on the local network with any IP/port combination. This issue can result in any authenticated user being able to map HTTP servers on a local network that the Mealie service has access to. Note that by default any user can create an account on a Mealie server, and that the default changeme@example.com user is available with its hard-coded password. This vulnerability is fixed in 1.4.0. | ||||
Page 1 of 1.