{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "1.0.5"
              },
              {
                "last_affected": "1.2.5"
              }
            ]
          },
          "events": [
            {
              "introduced": "6cabeba3cbb4395b20d1e0f8e2ac1918eb5966b6"
            },
            {
              "last_affected": "378938812c8b1100bf054f9f31398fee4332d979"
            },
            {
              "fixed": "7b2117c0190d4f541ba4cc7ee4122f04738c4ac6"
            }
          ],
          "repo": "https://github.com/tandoorrecipes/recipes",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.",
  "id": "CVE-2022-23072",
  "modified": "2026-03-13T21:48:09.390972231Z",
  "published": "2022-06-21T08:15:07.407Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/TandoorRecipes/recipes/commit/7b2117c0190d4f541ba4cc7ee4122f04738c4ac6"
    },
    {
      "type": "FIX",
      "url": "https://www.mend.io/vulnerability-database/CVE-2022-23072"
    }
  ]
}