Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13NTd2LTZ4cDQtcm0yds4AAwkT
usememos/memos vulnerable to account takeover due to improper access control
usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Versions prior to 0.9.0 improperly maintain access control allowing an attacker to take over an account by changing header values in the HTTP request.
Permalink: https://github.com/advisories/GHSA-w57v-6xp4-rm2vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NTd2LTZ4cDQtcm0yds4AAwkT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-w57v-6xp4-rm2v, CVE-2022-4689
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-4689
- https://github.com/usememos/memos/commit/dca35bde877aab6e64ef51b52e590b5d48f692f9
- https://huntr.dev/bounties/a78c4326-6e7b-47fe-aa82-461e5c12a4e3
- https://github.com/usememos/memos/pull/831
- https://github.com/advisories/GHSA-w57v-6xp4-rm2v
Blast Radius: 1.0
Affected Packages
go:github.com/usememos/memos
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 0.9.0
Fixed in: 0.9.0
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3
All unaffected versions: 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.18.2