CVE-2024-29029
MEDIUM EXPLOITED NUCLEIMemos 0.13.2 - Cross-Site Scripting & SSRF
Title source: nucleiExploitation Summary
CVE-2024-29029 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.
Nuclei Templates (1)
Memos 0.13.2 - Cross-Site Scripting & SSRF
MEDIUMVERIFIEDby ritikchaddha
Shodan:
title:"Memos"
FOFA:
title="Memos"
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/
Patch x_refsource_misc
https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5
Scores
CVSS v3
6.1
EPSS
0.0108
EPSS Percentile
60.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2025-09-25
CWE
CWE-918
CWE-79
Status
published
Products (2)
usememos/memos
< 0.22.0
usememos/memos
0 - 0.22.0Go
Published
Apr 19, 2024
Tracked Since
Feb 18, 2026