GHSA-JJ45-XVQ5-RHH9 Kratos has a Confused Deputy issue

A security flaw has been discovered in go-kratos kratos up to 2.9.2. This impacts the function NewServer of the file transport/http/server.go of the component http.DefaultServeMux Fallback Handler. The manipulation results in unintended intermediary. The attack may be launched remotely. The explo...

Cross-site Request Forgery (CSRF)

github.com/usememos/memos is vulnerable to cross site request forgery. The vulnerability exists in the NewServer function in server.go, which allows an attacker to manipulate the actions of authenticated users by tricking them into clicking on a malicious link or visiting a malicious website whil...

Cross-site Request Forgery (CSRF)

github.com/usememos/memos is vulnerable to cross site request forgery. The vulnerability exists in the NewServer function in server.go, because an attacker is able to force an authenticated user to submit a request to a web application against which they are currently authenticated...

Cross-site Scripting (XSS)

github.com/usememos/memos is vulnerable to cross site scripting. The vulnerability exists in the NewServer function of server.go because of a image direct link due to improper user-input sanitization by uploading a malicious svg file...