repository icon
usememos / memos Project repository

An open source, lightweight note-taking service. Easily capture and share your great thoughts.

Submit a report

FIRST INTERACTION

WITHIN2 DAYS

REVIEW

WITHIN14 DAYS

FIX

WITHIN13 DAYS

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
qqliunian2001
pending
Cross-Site Request Forgery Vulnerability in Logout Functionality
qqliunian2001
pending
Unverified password change : old password can be used as new password
th3l0newolf
pending
weak password policy on user creation
th3l0newolf
pending
Insecure Storage of Sensitive Information in Memos
muhamedfarish
pending
Stored XSS in resource upload
rootaux
pending
Invalid markdown can result in DoS for RSS feeds
rootaux
pending
CSRF - User performed an unexpected sign out
hainguyen0207
pending
IDOR - User can edit rowStatus:(ARCHIVED, NORMAL)
hainguyen0207
pending
Open Redirect at File Upload Vulnerabilities
hainguyen0207
pending
XSS/CSRF in GetImage Endpoint
victorsch
High
CVE-2023-5036
Unverified Password Change in Settings Page
victorsch
pending
Modify avatar to svg xss image
8910jq
pending
Picture EXIF GPS information not stripped
8910jq
pending
PDF XSS
8910jq
pending
List users on system for unauthen user and no ratelimit
meme-dm
self closed
Local File Inclusion (LFI)
mnqazi
High
CVE-2023-4698
Account TakeOver Due to Improper Handling of JWT Tokens
mnqazi
Critical
CVE-2023-4696
archied users can still read and post thoughts.
lujiefsi
pending
Vulnerable to clickjacking
liteshghute
self closed
No limit in the length of openId token results in DOS attack /memory corruption
karthik983
pending
IDOR at change password leads to Account Takeover of any user
karthik983
not applicable
User Enumeration via response timing
karthik983
informative
Medium
IDOR to access stats of any user
karthik983
pending
Pre-auth semi-blind SSRF via /httpmeta endpoint
yuriisanin
pending
Admin can change other user's openId value and can change to desired value
5h4s1
not applicable
ADMIN may activate his account storage resulting in the Deactivate ADMIN
5h4s1
pending
No Protection against Bruteforce attacks on Login page
5h4s1
pending
Enumeration Attack at the login function
5h4s1
self closed
A ssrf in public endpoint
yoshino-s
pending
Deleted user is able to see his account details
earth2sky
pending
Application allows to create account with blank user name and password
earth2sky
pending
Cookie Session Not Expiring in usememos/memos
syq1207
pending
Cross-Site Request Forgery (CSRF) in Add Users bypass CSRF token in usememos/mem...
syq1207
pending
IDOR allows to archive any Account including the ADMIN Account and lockout the A...
ahmedvienna
pending
IDOR allowing ADMIN to manipulate all the Users Information including E-Mail and...
ahmedvienna
pending
White spaces as username leads to permanent Account Lockout and no assignment of...
ahmedvienna
pending
Full Account Take over
0ozero0
informative
High
DDOS Attack through External Ressources
ahmedvienna
pending
IDOR (Insecure Direct Object Reference) allows an attacker to gain access to all...
ahmedvienna
pending
Admin Account Takeover allows controlling and the new Setup of the whole System
ahmedvienna
pending
Unauthorized access to files stored on Memos.
kkasdk
informative
Medium
Validation bypass leads to Denial of service (DDos)
geethu-sudosu
pending
DDOS attack by uploading a few hundred large files
ahmed8magdy
pending
IDOR to read the file of another user
zoro2000
pending
Username enumeration via login api feature
mike993
pending
IDOR in /api/memo?creatorId=:userId&visibility=:visibility endpoint allows to vi...
panya
pending
memos_session Cookie Set Without 'Secure" Flag
0xsu3ks
pending
Adding Shortcuts inside Admin Panel without any privilege
7h3h4ckv157
pending
xss via The href attribute of the a tag
christynorl
pending
Stored xss using Additional script
xo19do
pending
IDOR leads to updation of other users information
nithissh200
pending
User Enumeration through the Login Function [/api/auth/signin]
itsfading
pending
Privilege escalation API list user
duongli99
pending
Click Jacking
imsushantkamble
pending
Access Control Issue due to vulnerable cache integration
xanhacks
pending
user name enumeration
adwaithcp
pending
Preview resource does not authenticate user
duongli99
pending
Privilege vulnerability at API Delete Tags
duongli99
pending
IDOR to pin/unpin memo
duongli99
pending
a non user can enumrate all users details wit(IDOR)
leminv
pending
Broken access control allow to Access uploaded files of any user
gaurav-g2
pending
Missing Function Level Access Control
domiee13
pending
Stored XSS by link markdown
j0ok34n
Critical
CVE-2023-0106
Stored XSS via markdown link
domiee13
Medium
CVE-2023-0107
XSS via upload pdf file
christynorl
High
CVE-2023-0108
Stored XSS using two files
xmosb7
Critical
CVE-2023-0109
improper access control
toradagamil
pending
Stored XSS
mohamedabdelhady933
duplicate
High
Bypass Stored XSS while creating a new post
xo19do
High
CVE-2022-4865
Admin is able to ARCHIVE OWN Account leads to Deactivate ADMIN Account
xo19do
High
CVE-2022-4863
privilege escalation : Low access user can view Admin PRIVATE POST by using PI...
xo19do
High
CVE-2023-4697
Bypassing filters to trigger XSS while creating memos
nehalr777
Critical
CVE-2022-4866
CSRF allows attacker trigger admin add HOST user lead to takeover memos applicat...
shino-337
Medium
CVE-2022-4844
Able to assign ADMIN role to new User
trumthiphi
informative
High
Unpinning, Pinning, & Editing Other Users Shortcuts & Editing Resource Filenames...
1d8
duplicate
High
IDOR To Access Other Users' Resources
1d8
pending
Add any thoughts via CSRF
samirwaleed
Medium
CVE-2022-4845
Cross-Site Request Forgery (CSRF) in Add Users
xo19do
Medium
CVE-2022-4846
CSRF to change user language preferences
nehalr777
High
CVE-2022-4847
CSRF to add shortcuts to victim account
nehalr777
High
CVE-2022-4848
IDOR to delete user resources
nehalr777
High
CVE-2022-4812
IDOR to delete memo from archives
nehalr777
High
CVE-2022-4813
IDOR to archive victims memo
nehalr777
High
CVE-2022-4814
Stored XSS while creating a new post
xo19do
High
CVE-2022-4839
Able to assign HOST role to new User
xo19do
Medium
CVE-2022-4808
Mass Assignment Vulnerability in Memo Creation Endpoint allows creating new memo...
alanbriangh
duplicate
High
Cross Site Request Forgery in Create a Memo Functionality (POST /api/memo)
alanbriangh
Medium
CVE-2022-4850
Stored XSS with CSP bypass through JS file upload
leorac
Medium
CVE-2023-0111
An attacker can be post message in other memos page
quangdaik2362001
Critical
CVE-2022-4851
IDOR allows to see, update and delete other users shortcuts
leorac
Critical
CVE-2022-4802
IDOR allows to see and delete other users resources
leorac
self closed
Get all file in resource of any user and Delete any file of any user via IDOR
trumthiphi
High
CVE-2022-4803
Unauthorized Attacker Can Change Visibility Status of Victim's Memos
1d8
High
CVE-2022-4804
Delete all note of all user in application
trumthiphi
High
CVE-2022-4796
An user can delete other user's post
quangdaik2362001
Critical
CVE-2022-4797
Get all information any user via IDOR without login
trumthiphi
self closed
Failure to Invalidate Session on Logout
drxadz
pending
Privilege Escalation
mohamedabdelhady933
pending
takeover all users accounts
wickrine
informative
High
User's private Information Disclosure At API Endpoint
wickrine
informative
High
Admin account takeover
xtaraim
informative
High
Reset API any user via IDOR
samirwaleed
High
CVE-2022-4798
Delete any post for all users via IDOR
samirwaleed
High
CVE-2022-4799
Stored XSS in resource file uploading
benasin
High
CVE-2023-0112
Archive any post (public / private) using IDOR
samsamurai
High
CVE-2022-4801
IDOR results in deletion of others public & private memos
argonx21
High
CVE-2022-4806
Users can edit and delete all other user shortcuts
juylang
High
CVE-2022-4807
CSRF allows attacker to add malicious tags to vitim account
nehalr777
High
CVE-2022-4800
CSRF allows attacker to post on behalf of victim
nehalr777
High
CVE-2022-4849
CSP passby via js file
christynorl
High
CVE-2023-0110
Stored XSS while adding a memo
nehalr777
High
CVE-2022-4841
Stored XSS in memos while creating
mohamedabdelhady933
High
CVE-2022-4840
Archive any private memos + Delete any Shortcut + Edit any Shortcut from other u...
kevinkien
High
CVE-2022-4805
View any content private memos from other users
kevinkien
Medium
CVE-2022-4810
Access all Private Memos by unauthorized user
mohamedabdelhady933
High
CVE-2022-4811
Denial of Service
mohamedabdelhady933
High
CVE-2022-4767
Full account takeover
mohamedabdelhady933
High
CVE-2022-4809
Email exposure of users to an authorized user
ayoub0x1
High
CVE-2022-4734
Reset API any user via IDOR
samirwaleed
High
CVE-2022-4686
Critical Account Takeover and Privilege Escalation
michaellok001
High
CVE-2022-4685
Stored XSS in Search
uonghoangminhchau
Medium
CVE-2022-4694
Privilege vulnerability at API Change Password
uonghoangminhchau
High
CVE-2022-4687
Cookie without Secure attribute
uonghoangminhchau
Medium
CVE-2022-4683
A user can update information / password from other users
acciobugs
High
CVE-2022-4688
A user can edit private memos from other users
acciobugs
High
CVE-2022-4684
XSS by uploading svg files
christynorl
High
CVE-2022-4692
Cross-site scripting - Stored via upload `.svg` file in
juylang
High
CVE-2022-4691
Stored XSS via SVG File
mike993
High
CVE-2022-4690
Stored XSS while creating a new post
mohamedabdelhady933
High
CVE-2022-4695
Account takeover via changing password
mohamedabdelhady933
High
CVE-2022-4689
Cross-site scripting
lujiefsi
High
CVE-2022-4609