| Vendor |
|
| Product | TastyIgniter |
| Affected Version(s) | 3.5.0 and probably prior |
| Tested Version(s) | 3.5.0 |
| Vendor Notification | 13 June 2022 |
| Advisory Publication | 13 June 2022 [without technical details] |
| Vendor Fix | N/A |
| Public Disclosure | 13 June 2022 |
| Latest Modification | 09 June 2022 |
| CVE Identifier | Pending |
| Product Description | A free online ordering system for restaurants & takeaways based on Laravel PHP Framework. |
| Credits | Oswaldo Morales Rodríguez Security Researcher & Penetration Tester @wizlynx group |
| Stored XSS | |||
| Severity: Medium | CVSS Score: 5.4 | CWE-ID: CWE-79 | Status: Open |
| Vulnerability Description | |||
| TastyIgniter is affected by Stored Cross-Site Scripting (XSS) vulnerability affecting version 3.5.0. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Changed |
| Attack Complexity | Low | Confidentiality Impact | Low |
| Privileges Required | Low | Integrity Impact | Low |
| User Interaction | Required | Availability Impact | None |
Full details about the vulnerability will be disclosed once the vendor has provided a patch.