Cross-site Scripting (XSS)

2023-07-2809:01:52

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site scripting

github.com/usememos/memos

vulnerability

csp

arbitrary javascript execution

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.0%

JSON

github.com/usememos/memos is vulnerable to stored Cross-site Scripting (XSS). The vulnerability exists registerResourcePublicRoutes function at resource.go because the default-src in CSP is not properly configured which allows an attacker to bypass the CSP, inject and execute arbitrary javascript.