Mealie Stored HTML Injection Vulnerability in Recipe Notes Component

A stored HTML injection vulnerability has been identified in Mealie version 3.3.1, specifically within the Recipe Notes rendering component. This vulnerability allows remote authenticated users to inject arbitrary HTML, which is then rendered without proper sanitization. As a result, the injected content can alter the user interface of the recipe view, potentially leading to user interface redressing.

Impact

Exploitation of this vulnerability allows an authenticated user to inject HTML that is stored and later rendered in the recipe view. This injected HTML can overlay or obscure legitimate content, intercept user interactions, redirect users to external pages, degrade the usability of affected recipes, and facilitate phishing or social-engineering attacks.

Reproduction

To reproduce this vulnerability, log into the Mealie application and create a new recipe. In the Recipe Notes section, inject HTML payloads, such as links styled to overlay the entire recipe view. After saving, the injected HTML will be executed, demonstrating the injection impact by redirecting to the example.com.

Remediation

Users can update to Mealie version 3.8.0, where this vulnerability has been fixed.