Cookie without Secure attribute in usememos/memos

Valid

Reported on

Dec 21st 2022

Description

At the moment, memos_session has the value false at secure flag.

Proof of Concept

  1. Access to web demo https://demo.usememos.com/

  2. Use browser's dev tool to check the cookie, we can see there is a memos_session having value false at Secure.

Impact

User's cookies can be sent to the server with an unencrypted request over the HTTP protocol. This is not secure.

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN validated this vulnerability a year ago
Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.0 with commit 7efa74 a year ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability a year ago
to join this conversation