Stored Cross-Site Scripting vulnerability in Recipe Instructions allows Admin session hijacking in hay-kot/mealie
Jun 28th 2022
Proof of Concept
<img src=x onerror=alert(document.domain)>
- As a lower privileged user login to the Mealie web application.
- Create a recipe and using the inline markdown editor add the Proof of Concept code to the Instructions.
- An alert box will appear indicating the presence of XSS.
@admin - can you donate my bounty to the maintainer?
I did not realize at the time of submission that the session cookie
auth._token.local did not have the
We are happy to donate the bounty to the maintainer. Before we can do this, we need the maintainer to establish a fix for the report and elect themselves as the "fixer". We will then be able to do this for you ♥️