CVE-2025-23212
Tandoor Recipes - Local file disclosure - Users can read the content of any file on the server
In short
Tandoor Recipes has a flaw that lets users read any file stored on the server through its external storage feature. This exposes sensitive information like configuration files and private data that should be protected.
Technical detail
The external storage feature in Tandoor Recipes fails to properly restrict file access, allowing authenticated or unauthenticated users to enumerate and retrieve arbitrary files from the server filesystem. The vulnerability stems from insufficient access controls on file retrieval operations, enabling information disclosure of potentially sensitive server data. Fixed in version 1.5.28.
Summary generated and translated by AI from the official description.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The external storage feature allows any user to enumerate the name and content of files on the server. This vulnerability is fixed in 1.5.28.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected products
TandoorRecipes · recipesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →