2 matches found
CVE-2024-41659 GHSL-2024-034: memos CORS Misconfiguration in server.go
memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker...
CVE-2024-29029
Memos: CVE-2024-29029 describes an SSRF flaw at the /o/get/image endpoint in memos 0.13.2 that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is echoed into the current server response, enabling a reflected XSS. The vulnerab...