CVE-2025-23213
📋 TL;DR
Tandoor Recipes versions before 1.5.28 contain an unrestricted file upload vulnerability that allows attackers to upload malicious HTML and SVG files containing cross-site scripting (XSS) payloads. This affects all users running vulnerable versions of the application, potentially compromising user sessions and data.
💻 Affected Systems
- Tandoor Recipes
📦 What is this software?
Recipes by Tandoor
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious files that execute arbitrary JavaScript in victims' browsers, leading to session hijacking, account takeover, data theft, or redirection to malicious sites.
Likely Case
Attackers upload XSS payloads to steal session cookies or authentication tokens, compromising user accounts and potentially accessing sensitive recipe data and meal plans.
If Mitigated
With proper input validation and file type restrictions, the impact is limited to potential file storage abuse without code execution.
🎯 Exploit Status
Exploitation requires file upload access, which typically requires authentication, but could be combined with other vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.28
Vendor Advisory: https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-56jp-j3x5-hh2w
Restart Required: No
Instructions:
1. Backup your Tandoor Recipes database and configuration. 2. Update to version 1.5.28 or later using your deployment method (Docker, manual, etc.). 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable the file upload feature in Tandoor Recipes configuration
Modify configuration to disable file uploads (specific method depends on deployment)
Implement WAF rules
allAdd web application firewall rules to block malicious file uploads containing XSS payloads
Configure WAF to block uploads of HTML and SVG files or files containing script tags
🧯 If You Can't Patch
- Implement strict file type validation at the web server level to block HTML and SVG uploads
- Deploy a reverse proxy with content inspection to sanitize uploaded files before they reach the application
🔍 How to Verify
Check if Vulnerable:
Check if your Tandoor Recipes version is below 1.5.28 by visiting the application's about page or checking the version in the admin interface.Check Version:
Check the application interface or run 'docker ps' if using Docker to see the container versionVerify Fix Applied:
After updating, verify the version shows 1.5.28 or higher and test that HTML/SVG file uploads are properly rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload activity, particularly HTML or SVG files
- Multiple failed upload attempts with suspicious filenames
Network Indicators:
- HTTP POST requests to upload endpoints with HTML/SVG content
- Unusual traffic patterns to file upload URLs
SIEM Query:
source="tandoor-logs" AND (file_upload="*.html" OR file_upload="*.svg")