CVE-2022-34624

MEDIUM

Mealie 1.0.0beta3 - Insufficient Session Expiration

Title source: llm

Description

Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.

References (3)

Core 3

Core References

Not Applicable, URL Repurposed x_refsource_misc

http://hkotel.com

Not Applicable, URL Repurposed x_refsource_misc

http://mealie.com

Third Party Advisory x_refsource_misc

https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/

Scores

CVSS v3 5.9

EPSS 0.0064

EPSS Percentile 45.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-613

Status published

Products (2)

mealie/mealie 0.5.5

mealie/mealie 1.0.0 beta3

Published Aug 19, 2022

Tracked Since Feb 18, 2026