CVE-2025-23213
Tandoor Recipes - Stored XSS through Unrestricted File Upload
In short
Tandoor Recipes allows users to upload files without proper restrictions, letting attackers upload HTML or SVG files containing malicious scripts. When other users view these files, the scripts execute in their browsers, potentially stealing data or taking unauthorized actions.
Technical detail
CWE-434 unrestricted file upload vulnerability in Tandoor Recipes permits uploading HTML and SVG files containing XSS payloads. When served or displayed to other users, these files execute arbitrary JavaScript in the victim's browser context, enabling session hijacking, credential theft, or account compromise. The vulnerability is mitigated in version 1.5.28 through file type validation and content filtering.
Summary generated and translated by AI from the official description.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Affected products
TandoorRecipes · recipesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →