Stored XSS via markdown link in usememos/memos

Valid

Reported on

Jan 5th 2023

Description

Markdown editor doesn't sanitize user's input, leads to stored XSS

Proof of Concept

[a](javascript:window.onerror=alert`poc`;throw%201)

Reproduce

1.Login to https://demo.usememos.com/

2.Create new memo with content

[a](javascript:window.onerror=alert`poc`;throw%201)

image 3.Ctrl+left click this link, javascript code has been executed image

Impact

injects malicious content, phishing, session hijacking

We are processing your report and will contact the usememos/memos team within 24 hours. 4 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 3 days ago
STEVEN validated this vulnerability 3 days ago
Domiee13 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Domiee13
3 days ago

Researcher

@admin can you assign a CVE for this vulnerability, please ?

STEVEN marked this as fixed in 0.10.0 with commit 0f8ce3 3 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 3 days ago
to join this conversation