{"vulnerability": "cve-2022-2307", "sightings": [{"uuid": "1fea0da2-314b-46d2-ad0c-479d339e84f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-23072", "type": "seen", "source": "https://t.me/cibsecurity/44860", "content": "\u203c CVE-2022-23072 \u203c\n\nIn Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in \u00e2\u20ac\u0153Add to Cart\u00e2\u20ac\ufffd functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the \u00e2\u20ac\u02dcName\u00e2\u20ac\u2122 parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-21T12:27:36.000000Z"}, {"uuid": "269d2d2c-8061-4b82-86af-b4225e86c837", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-23074", "type": "seen", "source": "https://t.me/cibsecurity/44870", "content": "\u203c CVE-2022-23074 \u203c\n\nIn Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the \u00e2\u20ac\u02dcName\u00e2\u20ac\u2122 field of Keyword, Food and Unit components. When a victim accesses the Keyword/Food/Unit endpoints, the XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-21T14:37:22.000000Z"}, {"uuid": "ad81d5c6-ec3c-4098-b047-8ecde889cab6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-23079", "type": "seen", "source": "https://t.me/cibsecurity/44935", "content": "\u203c CVE-2022-23079 \u203c\n\nIn motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-22T16:28:32.000000Z"}, {"uuid": "36eb9bd2-9abe-4c28-9aa4-14c3eed8b530", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-23077", "type": "seen", "source": "https://t.me/cibsecurity/44934", "content": "\u203c CVE-2022-23077 \u203c\n\nIn habitica versions v4.119.0 through v4.232.2 are vulnerable to DOM XSS via the login page.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-22T16:28:31.000000Z"}, {"uuid": "e3eac345-02bb-4d6c-b958-9c3e8c2397cc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-23078", "type": "seen", "source": "https://t.me/cibsecurity/44936", "content": "\u203c CVE-2022-23078 \u203c\n\nIn habitica versions v4.119.0 through v4.232.2 are vulnerable to open redirect via the login page.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-22T16:28:33.000000Z"}, {"uuid": "7d613366-dcda-49cf-9915-2426cbdf6ace", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-23073", "type": "seen", "source": "https://t.me/cibsecurity/44862", "content": "\u203c CVE-2022-23073 \u203c\n\nIn Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the \u00e2\u20ac\u02dcName\u00e2\u20ac\u2122 parameter and clicks on the clipboard icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-06-21T12:27:38.000000Z"}]}