Hay-Kot Mealie Broken Object Level Authorization Vulnerability Allowing Privilege Escalation

A broken object level authorization vulnerability has been identified in Hay-Kot Mealie version 2.2.0. This vulnerability allows users to edit their own profiles and grant themselves additional permissions or change their household affiliations. The issue arises in the API endpoint '/api/users/{user-id}', where users can manipulate profile attributes, including permissions and household IDs, to escalate privileges and access additional functionalities.

Impact

Exploitation of this vulnerability allows users to unauthorizedly modify their profile permissions and household associations, potentially leading to unauthorized access to household resources such as recipes and shopping lists.

Reproduction

To reproduce this vulnerability, a user must send a PUT request to the '/api/users/{user-id}' endpoint, including their user ID and the desired changes to their profile. This can be done by altering the permissions and household ID fields in the request. Once the request is processed, the user's profile will be updated with the new permissions and household affiliation, granting them unauthorized access to manage household resources.

Remediation

Users can update to Hay-Kot Mealie version 2.5.0, where this vulnerability has been fixed.