CSP Bypass leading to Stored XSS in usememos/memos

Critical Vulnerability Information Vulnerability Title CSP bypass via js file in usememos/memos Report Date Dec 23rd 2022 Vulnerability Type CWE-79: Cross-site Scripting (XSS) - Stored Severity High (7.1) Affected Versions 0.9.0 Status Fixed Discoverer Christy__ (@christynorl) - Intermediate Fixer STEVEN (@boojack) - Unverified Description Hello, Maintainer. You submitted a fix in the latest version 0.9.0 with commit c07b4a. But after many tests, I found that this is still not 100% safe. You have set a very simple CSP, which can be bypassed. Steps 1. Create a JS file named '123.js' with the following content: 2. Click on the Resources section to upload the JS file, and copy the JS file's path. For example, the path is: 3. Create an HTML file named 'hello.html' with the following content: 4. Finally, preview the hello.html file. Recommendation My suggestion is to use a more secure CSP. Or if you have a better approach, please consider it. I hope we can make this project better. Here is my recommendation: Impact 1. Theft of admin accounts or cookies, allowing attackers to log in to the backend as an admin and tamper with backend data. 2. Theft of user personal information or login credentials, posing a significant threat to website user security. 3. Website defacement or malware injection, leading to users' computers being infected with malware. 4. Sending advertisements or spam messages, disrupting normal user experience. Location resource.go L268 Resolution Progress 3 years ago, the report was submitted and the usememos/memos team was contacted. 3 years ago, STEVEN verified the vulnerability. 3 years ago, STEVEN marked the vulnerability as fixed in version 0.10.0. 3 years ago, the vulnerability was disclosed.

Goal Reached Thanks to every supporter — we hit 100%!

CSP Bypass leading to Stored XSS in usememos/memos