Cross-site Scripting (XSS)

2022-12-2704:00:26

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xss

github.com

usememos/memos

newserver function

user-input sanitization

malicious svg file

0.001 Low

EPSS

Percentile

20.3%

JSON

github.com/usememos/memos is vulnerable to cross site scripting. The vulnerability exists in the NewServer function of server.go because of a image direct link due to improper user-input sanitization by uploading a malicious svg file.

CPENameOperatorVersion
github.com/usememos/memoslev0.8.3
github.com/usememos/memoslev0.8.3

CPE	Name	Operator	Version
	github.com/usememos/memos	le	v0.8.3
	github.com/usememos/memos	le	v0.8.3

References

github.com/advisories/GHSA-c8jh-vcjh-fx2w

github.com/usememos/memos/commit/c07b4a57caa89905e54b800f4d8fb720bbf5bf82

github.com/usememos/memos/pull/832

huntr.dev/bounties/7e1be91d-3b13-4300-8af2-9bd9665ec335

0.001 Low

EPSS

Percentile

20.3%

JSON

Related for VERACODE:38654