CVE-2022-23378

MEDIUM

TastyIgniter 3.2.2 - Stored Cross-Site Scripting via items%5B0%5D%5Bpath%5D Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-23378. PoCs published by TheGetch.

AI-analyzed exploit summary This PoC demonstrates an authenticated reflected XSS vulnerability in TastyIgniter v3.2.2, where the `items[0][path]` parameter in the admin dashboard's allergen edit functionality is vulnerable to JavaScript injection. The payload is executed when the server returns an error message containing the unsanitized input.

Description

A Cross-Site Scripting (XSS) vulnerability exists within the 3.2.2 version of TastyIgniter. The "items%5B0%5D%5Bpath%5D" parameter of a request made to /admin/allergens/edit/1 is vulnerable.

Exploits (1)

nomisec WORKING POC

by TheGetch · poc

https://github.com/TheGetch/CVE-2022-23378

View Code ZIP pw:eip

This PoC demonstrates an authenticated reflected XSS vulnerability in TastyIgniter v3.2.2, where the `items[0][path]` parameter in the admin dashboard's allergen edit functionality is vulnerable to JavaScript injection. The payload is executed when the server returns an error message containing the unsanitized input.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: TastyIgniter v3.2.2

Auth required

Prerequisites: Authenticated access to the TastyIgniter admin dashboard

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product x_refsource_misc

https://tastyigniter.com/

Exploit, Third Party Advisory x_refsource_misc

https://github.com/TheGetch/CVE-2022-23378

Scores

CVSS v3 5.4

EPSS 0.0108

EPSS Percentile 60.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

tastyigniter/tastyigniter 3.2.2

Published Feb 09, 2022

Tracked Since Feb 18, 2026