Stored XSS in resource file uploading in usememos/memos
Dec 24th 2022
The Resources upload feature does not restrict the type of uploaded file. An attacker can upload an html file and the browser still renders it. The CSP is set to default-src 'self' to prevent inline script execution. However, this can be easily bypassed by uploading a .js file then include it through the html file.
Proof of Concept
First we upload a malicious js file onto the server
// step1.js alert(document.domain);
Then we upload a html file which includes this script
// step2.html <script src=/path/step1.js></script>