CVE-2023-0109 — Vulnetix

CVE-2023-0109 PUBLISHED CVSS 9.8 CRITICAL

Reported by @huntr_ai · Published November 15, 2024

A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. When the HTML file is accessed, the malicious script is executed. This can lead to the theft of sensitive information, such as login credentials, from users visiting the affected website. The issue has been fixed in version 0.10.0.

Risk Scores

CVSS 3.0

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
usememos	usememos/memos	unspecified
github.com	usememos/memos	0, 0
usememos	usememos/memos	unspecified, unspecified
usememos	memos	0, 0

Exploit Intelligence

https://huntr.com/bounties/1899ffb2-ce1e-4dc0-af96-972612190f6e (nist-nvd)

Timeline

Nov 15, 2024 CVE Published
Nov 16, 2024 EPSS Score
Nov 19, 2024 CVE Updated
Dec 5, 2024 EPSS Score
Dec 22, 2024 EPSS Score
Jan 9, 2025 EPSS Score
Jan 26, 2025 EPSS Score
Feb 13, 2025 EPSS Score
Mar 3, 2025 EPSS Score
Mar 20, 2025 EPSS Score
Apr 7, 2025 EPSS Score
Apr 24, 2025 EPSS Score

References

https://nvd.nist.gov/vuln/detail/CVE-2023-0109 advisory
https://github.com/advisories/GHSA-5r2g-59px-3q9w advisory
https://github.com/usememos/memos url

Open in Interactive Console →