How severe is CVE-2024-31993?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.5 out of 10.

What type of vulnerability is CVE-2024-31993?

This is classified as CWE-918, which is a common weakness in software security.

CVE-2024-31993

MEDIUM Year: 2024

CVSS v3 Score

4.5

Medium

Weakness Type

CWE-918

View all →

Vulnerability Description

Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the scrape_image function will retrieve an image based on a user-provided URL, however the provided URL is not validated to point to an external location and does not have any enforced rate limiting. The response from the Mealie server will also vary depending on whether or not the target file is an image, is not an image, or does not exist. Additionally, when a file is retrieved the file may remain stored on Mealie’s file system as original.jpg under the UUID of the recipe it was requested for. If the attacker has access to an admin account (e.g. the default [email protected]), this file can then be retrieved. Note that if Mealie is running in a development setting this could be leveraged by an attacker to retrieve any file that the Mealie server had downloaded in this fashion without the need for administrator access. This vulnerability is fixed in 1.4.0.

CVE-2017-20106

MEDIUM

CVSS:4.4(Medium)

A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the...

CWE-9182017

CVE-2022-44730

MEDIUM

CVSS:4.4(Medium)

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / da...

CWE-9182022

CVE-2023-20002

MEDIUM

CVSS:4.4(Medium)

A vulnerability in Cisco TelePresence CE and RoomOS Software could allow an authenticated, local attacker to bypass access controls and conduct an SSRF attack through an affected device. This vulnerab...

CWE-9182023

CVE-2023-3121

MEDIUM

CVSS:4.6(Medium)

A vulnerability has been found in Dahua Smart Parking Management up to 20230528 and classified as problematic. This vulnerability affects unknown code of the file /ipms/imageConvert/image. The manipul...

CWE-9182023

CVE-2024-30420

MEDIUM

CVSS:4.4(Medium)

Server-side request forgery (SSRF) vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.12 and Ver.3.0.x series versions prior to Ver.3.0.32. If this vulnerability is exploite...

CWE-9182024

CVE-2024-32454

MEDIUM

CVSS:4.4(Medium)

Server-Side Request Forgery (SSRF) vulnerability in Wappointment Appointment Bookings for Zoom GoogleMeet and more – Wappointment.This issue affects Appointment Bookings for Zoom GoogleMeet and more –...

CWE-9182024

CVE-2024-31993

Vulnerability Description

Related Vulnerabilities

CVE-2017-20106

CVE-2022-44730

CVE-2023-20002

CVE-2023-3121

CVE-2024-30420

CVE-2024-32454