Tandoor Recipes Unrestricted File Upload Vulnerability Leading to Stored Cross-Site Scripting

A stored cross-site scripting vulnerability has been identified in Tandoor Recipes versions through 1.5.23. The issue arises from the file upload feature, which allows users to upload arbitrary files, including HTML and SVG files. These file types can contain malicious content, such as cross-site scripting payloads. The vulnerability has been addressed in version 1.5.28.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser. This could lead to taking over an admin account, conducting a ping sweep on the network, or controlling the browser of the affected user.

Reproduction

To reproduce this vulnerability, upload a crafted SVG file containing a script element, such as one that triggers an alert with the document's domain. After uploading, set the file as a logo for a space. The cross-site scripting payload will execute when the SVG is accessed directly. Alternatively, upload an HTML file with a script that resets the password for the admin user. When the file is viewed by an admin, the password will be changed, allowing access to the admin account.

Remediation

Users are advised to update Tandoor Recipes to version 1.5.28 or later.