How severe is CVE-2024-31991?

This vulnerability has a severity rating of LOW with a CVSS score of 3.5 out of 10.

What type of vulnerability is CVE-2024-31991?

This is classified as CWE-918, which is a common weakness in software security.

CVE-2024-31991 - LOW Severity | CVSS 3.5

Vulnerability Description

Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server. Based on the content of the response, it will either parse the content or disregard it. This function, nor those that call it, add any restrictions on the URL that can be provided, nor is it restricted to being an FQDN (i.e., an IP address can be provided). As this function’s return will be handled differently by its caller depending on the response, it is possible for an attacker to use this functionality to positively identify HTTP(s) servers on the local network with any IP/port combination. This issue can result in any authenticated user being able to map HTTP servers on a local network that the Mealie service has access to. Note that by default any user can create an account on a Mealie server, and that the default [email protected] user is available with its hard-coded password. This vulnerability is fixed in 1.4.0.

Related Vulnerabilities

CVE-2024-26476

LOW

CVSS:3.5(Low)

An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.

CWE-9182024

CVE-2025-27430

LOW

CVSS:3.5(Low)

Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker ...

CWE-9182025

CVE-2020-14328

LOW

CVSS:3.3(Low)

A flaw was found in Ansible Tower in versions before 3.7.2. A Server Side Request Forgery flaw can be abused by supplying a URL which could lead to the server processing it connecting to internal serv...

CWE-9182020

CVE-2022-0085

LOW

CVSS:3.7(Low)

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.

CWE-9182022

CVE-2023-48711

LOW

CVSS:3.7(Low)

google-translate-api-browser is an npm package which interfaces with the google translate web api. A Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the `google-t...

CWE-9182023

CVE-2024-0243

LOW

CVSS:3.7(Low)

With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader( url=url, max_depth=2, extractor=lambda x: Soup(x, "ht...

CWE-9182024