Stored Cross-Site Scripting vulnerability in Recipe Instructions allows Admin session hijacking in hay-kot/mealie
Jun 28th 2022
Proof of Concept
<img src=x onerror=alert(document.domain)>
- As a lower privileged user login to the Mealie web application.
- Create a recipe and using the inline markdown editor add the Proof of Concept code to the Instructions.
- An alert box will appear indicating the presence of XSS.