Описание
usememos/memos vulnerable to stored cross-site scripting (XSS)
usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos prior to 0.9.0 has a feature to upload file and display it, and by uploading a crafted SVG file, an attacker could perform a stored cross-site scripting attack with the image direct link. This was patched in version 0.9.0.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-4690
- https://github.com/usememos/memos/pull/833
- https://github.com/usememos/memos/commit/65cc19c12efa392f792f6bb154b4838547e0af5e
- https://github.com/usememos/memos/commit/c07b4a57caa89905e54b800f4d8fb720bbf5bf82
- https://github.com/usememos/memos
- https://huntr.dev/bounties/7e1be91d-3b13-4300-8af2-9bd9665ec335
Пакеты
Наименование
github.com/usememos/memos
go
Затронутые версииВерсия исправления
< 0.9.0
0.9.0
Связанные уязвимости
CVSS3: 5.4
nvd
около 3 лет назад
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.