Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS01cjJnLTU5cHgtM3E5d84ABBYl

Moderate EPSS: 0.00068% (0.21402 Percentile) EPSS:
Permalink JSON

Stored XSS using two files in usememos/memos

Affected Packages Affected Versions Fixed Versions
go:github.com/usememos/memos < 0.10.0 0.10.0
0 Dependent packages
0 Dependent repositories

Affected Version Ranges

All affected versions

0.0.1, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.9.1

All unaffected versions

0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.22.0, 0.22.1, 0.22.2, 0.22.3, 0.22.4, 0.22.5, 0.23.0, 0.23.1, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.25.0

A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. When the HTML file is accessed, the malicious script is executed. This can lead to the theft of sensitive information, such as login credentials, from users visiting the affected website. The issue has been fixed in version 0.10.0.

References:

Identifiers

GHSA-5r2g-59px-3q9w

CVE-2023-0109

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00068

EPSS Percentile: 0.21402

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/usememos/memos

Date and time

Published

8 months ago

Updated

8 months ago

API

JSON