Multiple vulnerabilities in Mealie
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2022-34624 CVE-2022-34615 CVE-2022-34621 CVE-2022-34623 |
| CWE-ID | CWE-200 CWE-521 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Mealie Web applications / Modules and components for CMS |
| Vendor | hay-kot |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU66674
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-34624
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an improper session termination/expiration flaw. A remote attacker can perform a man-in-the-middle attack and reuse the download token to download arbitrary files.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsMealie: 1.0.0 beta3
External linkshttp://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/
http://mealie.com
http://hkotel.com
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Weak password requirements
EUVDB-ID: #VU66677
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-34615
CWE-ID:
CWE-521 - Weak Password Requirements
Exploit availability: No
DescriptionThe vulnerability allows an attacker to perform brute-force attack and guess the password.
The vulnerability exists due to weak password requirements. A remote attacker can perform a brute-force attack and guess users' passwords.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsMealie: 1.0.0 beta3
External linkshttp://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/
http://docs.mealie.io/changelog/v0.5.6/
http://hub.docker.com/r/hkotel/mealie
http://cwe.mitre.org/data/definitions/521.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU66676
Risk: Medium
CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-34621
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to Insecure Direct Object Reference (IDOR) issue in the user_id parameter. A remote user can perform a brute-force attack and change the password or profile images and other settings of arbitrary users on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsMealie: 1.0.0 beta3
External linkshttp://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/
http://cwe.mitre.org/data/definitions/639.html
http://portswigger.net/web-security/access-control/idor
http://docs.mealie.io/changelog/v0.5.6/
http://hub.docker.com/r/hkotel/mealie
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU66675
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-34623
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a flaw in the authentication process. A remote attacker can send a specially crafted request using improper username and password and gain unauthorized access to sensitive information on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsMealie: 1.0.0 beta3
External linkshttp://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/
http://cwe.mitre.org/data/definitions/204.html
http://docs.mealie.io/changelog/v0.5.6/
http://hub.docker.com/r/hkotel/mealie
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
