GHSA-c8jh-vcjh-fx2w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c8jh-vcjh-fx2w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-c8jh-vcjh-fx2w/GHSA-c8jh-vcjh-fx2w.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-c8jh-vcjh-fx2w
- Aliases
- Published
- 2022-12-23T12:30:25Z
- Modified
- 2024-08-21T16:29:14.539750Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- usememos/memos vulnerable to stored cross-site scripting (XSS)
- Details
-
usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos prior to 0.9.0 has a feature to upload file and display it, and by uploading a crafted SVG file, an attacker could perform a stored cross-site scripting attack with the image direct link. This was patched in version 0.9.0.
- Database specific
{ "nvd_published_at": "2022-12-23T12:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-27T01:29:44Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-4690
- https://github.com/usememos/memos/pull/833
- https://github.com/usememos/memos/commit/65cc19c12efa392f792f6bb154b4838547e0af5e
- https://github.com/usememos/memos/commit/c07b4a57caa89905e54b800f4d8fb720bbf5bf82
- https://github.com/usememos/memos
- https://huntr.dev/bounties/7e1be91d-3b13-4300-8af2-9bd9665ec335
Affected packages
Go / github.com/usememos/memos
Package
- Name
- github.com/usememos/memos
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/usememos/memos