Tandoor Recipes v2.6.4 Release Notes: GHSA Fixes for CSS Injection and Privilege Escalation

Vulnerability Key Information Summary Vulnerability Overview This page contains the release notes for version v2.6.4 of the open-source recipe management application Tandoor Recipes. This update primarily addresses multiple security vulnerabilities and functional bugs, involving input validation, access control, and risks related to cross-site scripting (XSS) or injection. Scope of Impact Food Shopping Module: Involves input validation issues within the food shopping sub-endpoints. API Access Control: Involves permissions allowing shared users to modify cookbooks (books) via the API. Frontend Rendering Security: Involves CSS injection risks caused by the allowance of tags during Markdown rendering, affecting third-party clients. Private Data Access: Involves the recipe batch update endpoint, potentially leading to unauthorized access to private recipes belonging to other members. Shopping List Logic: Involves anomalies regarding category ordering and supermarket selection logic within the shopping list. Remediation The vulnerabilities are resolved by upgrading to v2.6.4. The specific fixes correspond to the following GitHub Security Advisories (GHSA) IDs: 1. GHSA-8wx8-3pv2-3554: Fixed the lack of validation for quantity and unit inputs in the food shopping sub-endpoints. 2. GHSA-xvmf-cfrq-4f8f: Fixed the issue allowing shared users to modify cookbooks via the API. 3. GHSA-9hhn-q2fc-r8x2: Fixed the CSS injection vulnerability in third-party clients caused by the allowance of tags during Markdown rendering. 4. GHSA-v8x3-w674-55p5: Fixed the issue where the recipe batch update endpoint could update private recipes of other workspace members if the ID was known. 5. #4446: Fixed the issue where category ordering skipped when a shopping list item was checked but no supermarket was selected. 6. Other Fixes: Fixed issues where functionality was broken when no supermarket was selected during shopping. (Note: The provided screenshot does not contain specific POC exploitation code, only the Security Advisory IDs and Issue IDs.)*

Goal Reached Thanks to every supporter — we hit 100%!

Tandoor Recipes v2.6.4 Release Notes: GHSA Fixes for CSS Injection and Privilege Escalation

More from this source