Cross-site Scripting (XSS) - Stored in nebulade/meemo

Valid

Reported on

Jun 25th 2021


✍️ Description

Stored xss in meemo file create functionality

🕵️‍♂️ Proof of Concept

Payload:
Test<iframe src=javascript:alert(1) width=0 height=0 style=display:none;></iframe>
POC screenshot:
https://drive.google.com/file/d/1aLBRIdU2AAz-RXa6uEF0IiWf_ks5jHMu/view?usp=sharing

Tested on the demo website of the latest release. To reproduce create a file and add the following payload and save it.

💥 Impact

This vulnerability is capable of executing malicious javascript and stored xss.

Occurrences

We have contacted a member of the nebulade/meemo team and are waiting to hear back a year ago
Johannes Zellner marked this as fixed with commit da151c a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation