Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1wNGZ4LXFmMmgtanBtas4AA-4e

High CVSS: 8.6 EPSS: 0.00049% (0.14989 Percentile) EPSS:
Permalink JSON

memos CORS Misconfiguration in server.go (GHSL-2024-034)

Affected Packages Affected Versions Fixed Versions
go:github.com/usememos/memos < 0.21.0 0.21.0
0 Dependent packages
0 Dependent repositories

Affected Version Ranges

All affected versions

0.0.1, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.19.1, 0.20.0, 0.20.1

All unaffected versions

0.21.0, 0.21.1, 0.22.0, 0.22.1, 0.22.2, 0.22.3, 0.22.4, 0.22.5, 0.23.0, 0.23.1, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.24.4, 0.25.0

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account.

References:

Identifiers

GHSA-p4fx-qf2h-jpmj

CVE-2024-41659

Risk

Severity

High

CVSS

CVSS Score: 8.6

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00049

EPSS Percentile: 0.14989

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/usememos/memos

Date and time

Published

11 months ago

Updated

11 months ago

API

JSON