Cookie without Secure attribute in usememos/memos

Valid

Reported on

Dec 21st 2022


Description

At the moment, memos_session has the value false at secure flag.

Proof of Concept

  1. Access to web demo https://demo.usememos.com/

  2. Use browser's dev tool to check the cookie, we can see there is a memos_session having value false at Secure.

Impact

User's cookies can be sent to the server with an unencrypted request over the HTTP protocol. This is not secure.

We are processing your report and will contact the usememos/memos team within 24 hours. 19 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 18 days ago
STEVEN validated this vulnerability 18 days ago
Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit 7efa74 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
to join this conversation