Cross-site Scripting (XSS) - Stored in nebulade/meemo

Valid

Reported on

Jun 25th 2021

✍️ Description

Stored xss in meemo file create functionality

🕵️‍♂️ Proof of Concept

Payload:
Test<iframe src=javascript:alert(1) width=0 height=0 style=display:none;></iframe>
POC screenshot:
https://drive.google.com/file/d/1aLBRIdU2AAz-RXa6uEF0IiWf_ks5jHMu/view?usp=sharing

Tested on the demo website of the latest release. To reproduce create a file and add the following payload and save it.

💥 Impact

This vulnerability is capable of executing malicious javascript and stored xss.

Occurrences

users.js L38

We have contacted a member of the nebulade/meemo team and are waiting to hear back 2 years ago

Johannes Zellner marked this as fixed with commit da151c 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the nebulade/meemo team and are waiting to hear back 2 years ago

Johannes Zellner marked this as fixed with commit da151c 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation