Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe endpoints (PUT /api/recipe/{id}/), enabling forced exposure of private recipes, unauthorized self-grant of access via the shared list, and metadata tampering. This vulnerability is fixed in 2.6.4.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NTandoor Recipes
APPTandoor< 2.6.4
Powiązane podatności
Brak ograniczenia prób logowania przez Basic Auth w Tandoor Recipes
Tandoor Recipes: SSTI w Jinja2 umożliwia RCE każdemu zalogowanemu użytkownikowi
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to ...
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to ...
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions ...