Cross-site scripting in usememos/memos
Nov 23rd 2022
memos allow users to upload file and make it public to others. But if the file is html with below content, xss attack can happen.
Proof of Concept
// PoC.js <html> <head> <meta charset="utf-8"> <script> alert("warning"); </script> </head> <body> </body> </html>
This vulnerability may allow an attacker to perform cross-site scripting (XSS) attacks to gain access potentially sensitive information.