References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

OR
          *cpe:2.3:a:usememos:memos:0.22.0:*:*:*:*:*:*:*

MITRE: https://github.com/usememos/memos/blob/v0.24.0/server/router/api/v1/user_service.go#L147 Types: Product

MITRE: https://github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go#L48 Types: Product

MITRE: https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples/ Types: Exploit, Patch, Third Party Advisory

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79

Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.

https://github.com/usememos/memos/blob/v0.24.0/server/router/api/v1/user_service.go#L147

https://github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go#L48

https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples/