Bypass Stored XSS while creating a new post in usememos/memos


Reported on

Dec 30th 2022


After login to portal create a new post and type the following text with XSS payload

bypass of this fix

Proof of Concept

Login to portal.
create a post with xss paylaod
save it

Bypass Payload

/*/**<input type="text" value=`` <div/onmouseover='alert(1)'>X</div>**/*/*

alt text


Users & admin account takeover

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
Anil Bhatt modified the report
a year ago
STEVEN validated this vulnerability a year ago
xo19do has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 7670c9 a year ago
STEVEN has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation