Stored Cross-Site Scripting vulnerability in Recipe Instructions allows Admin session hijacking in hay-kot/mealie
Reported on
Jun 28th 2022
Description
A low privilege user can insert malicious JavaScript code into the Recipe Instructions which will execute in another person's browser that visits the recipe.
Proof of Concept
<img src=x onerror=alert(document.domain)>
Reproduction Steps:
- As a lower privileged user login to the Mealie web application.
- Create a recipe and using the inline markdown editor add the Proof of Concept code to the Instructions.
- An alert box will appear indicating the presence of XSS.
Impact
A lower privilege user can submit malicious JavaScript into the Recipe Instructions which will execute in the context of another person's browser when they navigate to the vulnerable page. Since this is a Stored XSS vulnerability, no user interaction is required besides browsing to the vulnerable page. An attacker can use this XSS vulnerability to do anything that JavaScript can do, including but not limited to, making arbitrary HTTP requests in the victim's browser, hook a victim's browser, and hijack an admin session.
I did not realize at the time of submission that the session cookie auth._token.local did not have the HttpOnly flag set. This means that JavaScript has access to the session cookie and an attacker can hijack an admin's session. This would bump this vulnerability up to a high.
We are happy to donate the bounty to the maintainer. Before we can do this, we need the maintainer to establish a fix for the report and elect themselves as the "fixer". We will then be able to do this for you ♥️
