CVE-2023-0109
Aliases:GHSA-5r2g-59px-3q9wGO-2024-3274
Advisory lineage Upstream: 0 Downstream: 1
Downstream
Analyzed
Published: 15 Nov 2024, 10:57
Last modified:15 Nov 2024, 20:56
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
v3.0 (cve.org)
EPSS Score
0.27% LOW
0% probability +0.07%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
15 Nov 2024, 10:57
Published
Vulnerability first disclosed
15 Nov 2024, 20:56
Last Modified
Vulnerability information updated
Description
A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. When the HTML file is accessed, the malicious script is executed. This can lead to the theft of sensitive information, such as login credentials, from users visiting the affected website. The issue has been fixed in version 0.10.0.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- v3.0•CRITICAL•Score: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.27%• Percentile: 51%
Techniques & Countermeasures
- CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Affected Systems
- github.com/usememos•memos
< 0.10.0
- usememos•memos
0.9.1
- usememos•usememos/memos
≥ unspecified, < 0.10.0
References (6)
- https://huntr.com/bounties/1899ffb2-ce1e-4dc0-af96-972612190f6e
- https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c
- https://nvd.nist.gov/vuln/detail/CVE-2023-0109
- https://github.com/usememos/memos
- https://pkg.go.dev/vuln/GO-2024-3274
- https://github.com/advisories/GHSA-5r2g-59px-3q9w