Headline
CVE-2022-4695: Stored XSS while creating a new post in memos
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.
Valid
Reported on
Dec 19th 2022
Description
After login create a new post and type the following text with XSS payload
XSS in create post [<img src=x onerror=alert(1)>](http://test.cc)
then click post that will be executed.
Proof of Concept
XSS in create post [te<img src=x onerror=alert(1)>te](http://google.com)
Impact
Users account takeover + admin
Related news
GHSA-c2v4-8r9g-g5xj: usememos/memos vulnerable to stored Cross-site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.