CVE-2023-0109

MEDIUM

usememos memos < 0.10.0 - Stored Cross-Site Scripting via JavaScript File Upload

Title source: llm

Description

A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. When the HTML file is accessed, the malicious script is executed. This can lead to the theft of sensitive information, such as login credentials, from users visiting the affected website. The issue has been fixed in version 0.10.0.

References (2)

Core 2

Core References

Patch

https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://huntr.com/bounties/1899ffb2-ce1e-4dc0-af96-972612190f6e

Scores

CVSS v3 5.4

EPSS 0.0044

EPSS Percentile 34.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

usememos/memos 0.9.1

usememos/memos 0 - 0.10.0Go

Published Nov 15, 2024

Tracked Since Feb 18, 2026