Cross-site Scripting (XSS) - Stored in nebulade/meemo


Reported on

Jun 25th 2021

✍️ Description

Stored xss in meemo file create functionality

🕵️‍♂️ Proof of Concept

Test<iframe src=javascript:alert(1) width=0 height=0 style=display:none;></iframe>
POC screenshot:

Tested on the demo website of the latest release. To reproduce create a file and add the following payload and save it.

💥 Impact

This vulnerability is capable of executing malicious javascript and stored xss.


We have contacted a member of the nebulade/meemo team and are waiting to hear back 2 years ago
Johannes Zellner marked this as fixed with commit da151c 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation