Stored XSS using two files in usememos/memos


Reported on

Jan 2nd 2023


I uploaded two files (first => js , second => html) the first was js files with malicious script and get it's url and i added it to the second one as source for the script tag

Proof of Concept

// test.js

and assume its url =>

// test.html
<!-- src= "test.js path" -->
<script src=""></script>

hello world

there is a POC video


If exploited, this vulnerability could allow an attacker to steal sensitive information, such as login credentials , from users visiting the affected website, so Account takeover via steal cookies


We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
Mahmoud Mosbah modified the report
a year ago
Mahmoud Mosbah modified the report
a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
xmosb7 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.10.0 with commit 46c13a a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
memo.go#L346 has been validated
to join this conversation