Lucene search
Nehalr777FA46B3EF-C621-443A-BE3A-0A83FB78BA62HistoryDec 23, 2022 - 3:49 p.m.
Stored XSS while adding a memo
2022-12-2315:49:30
nehalr777
www.huntr.dev
11
cross-site scripting
http response
untrusted source
unsafe
memo
proof of concept
pop-up
bug bounty
EPSS
0.001
Percentile
21.9%
Description
Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
Proof of Concept
Payload: [ "><img src>] ****
1) Go to https://demo.usememos.com/ and login into your account
2) Add a memo with the payload mentioned above ( [ "><img src>] ****)
3) You will see that an XSS popup will trigger
4) Each time you visit this page you will see a pop-up
POC video: https://drive.google.com/file/d/1Tg03gDlcxpywoCTXTHKSuSH8xdsPUb5_/view?usp=sharing
Related
osv
osv
CVE-2022-4841
2022-12-29 17:15:21
usememos/memos vulnerable to stored Cross-site Scripting
2022-12-29 18:30:24
nvd
nvd
CVE-2022-4841
2022-12-29 17:15:21
github
github
usememos/memos vulnerable to stored Cross-site Scripting
2022-12-29 18:30:24
veracode
veracode
Cross-site Scripting (XSS)
2023-01-03 07:01:56
cvelist
cvelist
CVE-2022-4841 Cross-site Scripting (XSS) - Stored in usememos/memos
2022-12-29 00:00:00
cnvd
cnvd
memos cross-site scripting vulnerability (CNVD-2023-04539)
2023-01-03 00:00:00
prion
prion
Cross site scripting
2022-12-29 17:15:00
cve
cve
CVE-2022-4841
2022-12-29 17:15:21