Stored XSS while creating a new post in usememos/memos

Valid

Reported on

Dec 27th 2022

Description

After login to portal create a new post and type the following text with XSS payload

Proof of Concept

Login to portal.
create a post with xss paylaod
save it

#Payload

<iframe srcdoc='&lt;body onload=prompt&lpar;99&rpar;&gt;'>>#09;&gt;&

Poc:

alt text

Impact

If exploited, this vulnerability could allow an attacker to steal sensitive information, such as login credentials , from users visiting the affected website.

low user can create a post , with injected payload to steal Admin , cookies Or Admin accesss

Users account takeover + admin

We are processing your report and will contact the usememos/memos team within 24 hours. 13 days ago

Anil Bhatt modified the report

13 days ago

STEVEN validated this vulnerability 13 days ago

Anil Bhatt has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

STEVEN marked this as fixed in 0.9.1 with commit 64e5c3 11 days ago

STEVEN has been awarded the fix bounty

This vulnerability has been assigned a CVE

STEVEN published this vulnerability 11 days ago

to join this conversation