CVE-2024-55073
Published: 27 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2024-55073 is a Broken Object Level Authorization vulnerability (CWE-862) in the /api/users/{user-id} component of hay-kot mealie v2.2.0. Published on 2025-03-27, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L). The flaw enables improper editing of user profiles, bypassing intended access controls.
Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity and no user interaction. By targeting the vulnerable endpoint, attackers can modify their own profile to assign themselves elevated permissions or alter their household affiliation, achieving high integrity impact through potential privilege escalation.
Mitigation details are available in related advisories, including the GitHub issue at https://github.com/mealie-recipes/mealie/issues/4593 and the security post at https://m10x.de/posts/2025/03/all-your-recipe-are-belong-to-us-part-3/3-broken-access-controls-leading-to-privilege-escalation-and-more-in-mealie/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The broken object-level authorization vulnerability directly enables low-privileged authenticated users to bypass access controls and escalate privileges by modifying user profiles and permissions.