{"id":"CVE-2022-34621","details":"Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows attackers to modify user passwords and other attributes via modification of the user_id parameter.","modified":"2026-04-10T04:49:06.695482Z","published":"2022-08-19T14:15:08.333Z","references":[{"type":"ADVISORY","url":"https://cwe.mitre.org/data/definitions/639.html"},{"type":"ADVISORY","url":"https://docs.mealie.io/changelog/v0.5.6/"},{"type":"ADVISORY","url":"https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/"},{"type":"ADVISORY","url":"https://hub.docker.com/r/hkotel/mealie"},{"type":"ADVISORY","url":"https://portswigger.net/web-security/access-control/idor"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hay-kot/mealie","events":[{"introduced":"0"},{"last_affected":"4b9dcf95f9f43a98cc2c6fb33cd34666c94a0fc7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.5.5"}]}}],"versions":["v0.0.1","v0.0.2","v0.1.0","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.4.0","v0.5.3","v0.5.4","v0.5.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-34621.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.0.0-beta3"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}