github.com/usememos/memos is vulnerable to stored cross-site scripting attacks. When a user uploads a file with .svg
extension with direct access, the server response with content-type: image/svg+xml
leading to processing SVG as HTML, allowing an attacker to inject malicious javascript.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/usememos/memos | le | v0.8.3 | |
github.com/usememos/memos | le | v0.8.3 |