Tandoor Recipes Stored CSS Injection Vulnerability in Recipe Instructions

A stored CSS injection vulnerability has been identified in Tandoor Recipes versions prior to 2.6.4. This issue allows authenticated users to inject arbitrary <style> tags into recipe step instructions. The application's sanitizer, bleach.clean(), mistakenly whitelists the <style> tag, enabling the backend to persist and serve unsanitized CSS payloads via the API. Clients that render the instructions_markdown field as HTML without further sanitization will execute the injected CSS. This exploitation could lead to UI redressing, phishing overlays, visual defacement, and CSS-based data exfiltration.

Impact

Exploitation of this vulnerability allows for the injection of CSS that is executed when the instructions_markdown is rendered as HTML. This could be used to create phishing overlays, manipulate the UI, deface visuals, or exfiltrate data using CSS techniques.

Reproduction

To reproduce this vulnerability, an authenticated user with a 'user' role can inject a <style> tag containing CSS payload into the instructions of a recipe via the Tandoor Recipes API. After the recipe is saved, the unsanitized CSS will be executed whenever the instructions_markdown is rendered as HTML.

Remediation

Users can update to Tandoor Recipes version 2.6.4, where this vulnerability has been fixed.