Stored XSS while creating a new post in usememos/memos

Valid

Reported on

Dec 27th 2022


Description

After login to portal create a new post and type the following text with XSS payload

Proof of Concept

  1. Login to portal.
  2. create a post with xss paylaod
  3. save it

#Payload

<iframe srcdoc='&lt;body onload=prompt&lpar;99&rpar;&gt;'>>#09;&gt;&

Poc:

alt text

alt text

alt text

Impact

If exploited, this vulnerability could allow an attacker to steal sensitive information, such as login credentials , from users visiting the affected website.

low user can create a post , with injected payload to steal Admin , cookies Or Admin accesss

Users account takeover + admin

We are processing your report and will contact the usememos/memos team within 24 hours. 4 months ago
Anil Bhatt modified the report
4 months ago
STEVEN validated this vulnerability 4 months ago
Anil Bhatt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 64e5c3 4 months ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 4 months ago
to join this conversation