Stored XSS in memos while creating in usememos/memos

Valid

Reported on

Dec 23rd 2022


Description

After login create a new memo with the following XSS payload

"><img src=x onerror=alert(1)>#{

and click save that will make alert

Proof of Concept

"><img src=x onerror=alert(1)>#{

Impact

Account takeover via steal cookies

We are processing your report and will contact the usememos/memos team within 24 hours. 5 months ago
We have contacted a member of the usememos/memos team and are waiting to hear back 5 months ago
STEVEN validated this vulnerability 4 months ago
Mohamed Abdelhady has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mohamed
4 months ago

Researcher


Can you assign it as CVE !

STEVEN marked this as fixed in 0.9.1 with commit 64e5c3 4 months ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 4 months ago
to join this conversation