Cross-site scripting in usememos/memos

Valid

Reported on

Nov 23rd 2022


Description

memos allow users to upload file and make it public to others. But if the file is html with below content, xss attack can happen.

Proof of Concept

// PoC.js
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script>
    alert("warning");
</script>
</head>
<body>


</body>
</html>

Impact

This vulnerability may allow an attacker to perform cross-site scripting (XSS) attacks to gain access potentially sensitive information.

References

We are processing your report and will contact the usememos/memos team within 24 hours. 2 months ago
lujiefsi
2 months ago

Researcher


beleive that the demo site "https://demo.usememos.com/" is under threat.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the usememos/memos team and are waiting to hear back 2 months ago
We have sent a follow up to the usememos/memos team. We will try again in 7 days. a month ago
We have sent a second follow up to the usememos/memos team. We will try again in 10 days. a month ago
We have sent a third and final follow up to the usememos/memos team. This report is now considered stale. 25 days ago
usememos/memos maintainer
25 days ago

Maintainer


Great work @lujiefsi 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.

lujiefsi submitted a
24 days ago
lujiefsi
24 days ago

Researcher


also see https://github.com/usememos/memos/pull/749

lujiefsi
21 days ago

Researcher


it seems that we the patch has been merged. @maintainer could you verify this report?

usememos/memos maintainer validated this vulnerability 21 days ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
usememos/memos maintainer marked this as fixed in 0.9.0 with commit 726285 21 days ago
lujiefsi has been awarded the fix bounty
This vulnerability has been assigned a CVE
usememos/memos maintainer published this vulnerability 21 days ago
to join this conversation