Headline
CVE-2022-4694: Stored XSS in Search in memos
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.
Description
Stored XSS is a type of XSS that stores malicious code on the application. The demo website is affected of it.
Proof of Concept
#1. Access to the demo website https://demo.usememos.com/
#2. At "Any thoughts…", write XSS Payload and save it. In this scenario, I used payload: "><img src=x onerror=alert(“XSS”)>
#3. Now, at Search bar, just type "> (or any character in the payload) and the payload will be triggered.
Link: https://drive.google.com/file/d/1OfyG91RtpV-_rUanDrWiTbStjf0X7QJN/view?usp=sharing****Impact
Be able to steal user’s cookies.
Related news
GHSA-v92p-phmp-xffr: usememos/memos vulnerable to stored Cross-site Scripting
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.