Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13NTd2LTZ4cDQtcm0yds4AAwkT
usememos/memos vulnerable to account takeover due to improper access control
usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Versions prior to 0.9.0 improperly maintain access control allowing an attacker to take over an account by changing header values in the HTTP request.
Permalink: https://github.com/advisories/GHSA-w57v-6xp4-rm2vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NTd2LTZ4cDQtcm0yds4AAwkT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: almost 2 years ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00086
EPSS Percentile: 0.3753
Identifiers: GHSA-w57v-6xp4-rm2v, CVE-2022-4689
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-4689
- https://github.com/usememos/memos/commit/dca35bde877aab6e64ef51b52e590b5d48f692f9
- https://huntr.dev/bounties/a78c4326-6e7b-47fe-aa82-461e5c12a4e3
- https://github.com/usememos/memos/pull/831
- https://github.com/advisories/GHSA-w57v-6xp4-rm2v
Blast Radius: 1.0
Affected Packages
go:github.com/usememos/memos
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 0.9.0
Fixed in: 0.9.0
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3
All unaffected versions: 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.21.0, 0.21.1, 0.22.0, 0.22.1, 0.22.2, 0.22.3, 0.22.4, 0.22.5