CVE-2022-4690
MEDIUM5.4EPSS 0.26%usememos/memos vulnerable to stored cross-site scripting (XSS)
發布日:2022/12/23修改日:2024/8/21
描述
usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos prior to 0.9.0 has a feature to upload file and display it, and by uploading a crafted SVG file, an attacker could perform a stored cross-site scripting attack with the image direct link. This was patched in version 0.9.0.
受影響套件(2)
- Go/github.com/usememos/memosfrom 0, < 0.9.0
- Go/github.com/usememos/memosfrom 0, < 0.9.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
參考連結(7)
- ADVISORYhttps://github.com/advisories/GHSA-c8jh-vcjh-fx2w
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-4690
- WEBhttps://github.com/usememos/memos
- WEBhttps://github.com/usememos/memos/commit/65cc19c12efa392f792f6bb154b4838547e0af5e
- WEBhttps://github.com/usememos/memos/commit/c07b4a57caa89905e54b800f4d8fb720bbf5bf82
- WEBhttps://github.com/usememos/memos/pull/833
- WEBhttps://huntr.dev/bounties/7e1be91d-3b13-4300-8af2-9bd9665ec335