Filtered by vendor Tandoor
                        
                        Subscribe
                        
                        
                    
                    
                
                    Total
                    9 CVE
                
            | CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 | 
|---|---|---|---|---|---|
| CVE-2025-57396 | 1 Tandoor | 1 Recipes | 2025-10-03 | N/A | 6.5 MEDIUM | 
| Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. This is due to the rework of the API, which resulted in the User Profile API Endpoint containing two boolean values indicating whether a user is staff or administrative. Consequently, any user can escalate their privileges to the highest level. | |||||
| CVE-2024-0403 | 1 Tandoor | 1 Recipes | 2025-05-19 | N/A | 6.5 MEDIUM | 
| Recipes version 1.5.10 allows arbitrary HTTP requests to be made through the server. This is possible because the application is vulnerable to SSRF. | |||||
| CVE-2025-23213 | 1 Tandoor | 1 Recipes | 2025-05-08 | N/A | 8.7 HIGH | 
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The file upload feature allows to upload arbitrary files, including html and svg. Both can contain malicious content (XSS Payloads). This vulnerability is fixed in 1.5.28. | |||||
| CVE-2025-23212 | 1 Tandoor | 1 Recipes | 2025-05-08 | N/A | 7.7 HIGH | 
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. The external storage feature allows any user to enumerate the name and content of files on the server. This vulnerability is fixed in 1.5.28. | |||||
| CVE-2025-23211 | 1 Tandoor | 1 Recipes | 2025-05-08 | N/A | 9.9 CRITICAL | 
| Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. A Jinja2 SSTI vulnerability allows any user to execute commands on the server. In the case of the provided Docker Compose file as root. This vulnerability is fixed in 1.5.24. | |||||
| CVE-2022-23074 | 1 Tandoor | 1 Recipes | 2024-11-21 | 3.5 LOW | N/A | 
| In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover. | |||||
| CVE-2022-23073 | 1 Tandoor | 1 Recipes | 2024-11-21 | 3.5 LOW | N/A | 
| In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the clipboard icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover. | |||||
| CVE-2022-23072 | 1 Tandoor | 1 Recipes | 2024-11-21 | 3.5 LOW | N/A | 
| In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover. | |||||
| CVE-2022-23071 | 1 Tandoor | 1 Recipes | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM | 
| In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information. | |||||
