Stored XSS while creating a new post in usememos/memos

Valid

Reported on

Dec 19th 2022

Description

After login create a new post and type the following text with XSS payload

XSS in create post [<img src=x onerror=alert(1)>](http://test.cc)

then click post that will be executed.

Proof of Concept

XSS in create post [te<img src=x onerror=alert(1)>te](http://google.com)

Impact

Users account takeover + admin

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Mohamed Abdelhady modified the report
a year ago
Mohamed Abdelhady modified the report
a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
usememos/memos maintainer validated this vulnerability a year ago
Mohamed Abdelhady has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mohamed
a year ago

Researcher

Can You assign it as CVE !

STEVEN marked this as fixed in 0.9.0 with commit 65cc19 a year ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability a year ago
to join this conversation