XSS by uploading svg files in usememos/memos


Reported on

Dec 20th 2022


Hi there, Your project has a function of uploading files.That is the section named "Resource".But it does not filter the content of the uploaded files. If we upload an svg file containing malicious data and a user accesses it, xss will be triggered.


Please visit my video link


Proof of Concept

1.Login as any user.

2.Click the module named "Resource".

3.Upload a svg file and the contents of this file are as follows.

<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>

4.Access this svg file


(1) To steal the administrator account or cookie, the intruder can log in to the background as an administrator. It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.

(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website. For example, pretend to be a user for various operations.

(3) The website hangs horses. First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.

(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting the normal use of users.


Hello, my suggestion is that you should detect and filter the content of the svg file.

We are processing your report and will contact the usememos/memos team within 24 hours. 20 days ago
Christy__ modified the report
20 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 19 days ago
usememos/memos maintainer validated this vulnerability 19 days ago
Christy__ has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit c07b4a 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
resource.go#L1-L278 has been validated
to join this conversation