| tiêu đề | Usememos Memos 0.22.1 Cross Site Scripting |
|---|
| Mô tả | A critical vulnerability has been discovered in usememos/memos (versions up to and including 0.22.1). This security flaw involves a combination of Broken Access Control (CWE-284) and Stored Cross-Site Scripting (CWE-79).
The backend gRPC-web endpoint 'UpdateInstanceSetting' fails to properly validate user permissions, allowing a standard 'Member' user to bypass the frontend UI restrictions and modify global instance settings. Specifically, an attacker can navigate to the system settings page and inject malicious JavaScript or CSS into the 'additionalStyle' or 'additionalScript' fields.
Because the frontend application (src/App.tsx) injects these settings directly into the DOM using the 'innerHTML' property without sanitization, the malicious code is executed in the context of every user visiting the site (including administrators). This allows for full session hijacking, credential theft (memos_access_token), and unauthorized administrative actions.
2. Short Summary (Submission Title/Summary Field)
Critical vulnerability chain in usememos/memos allows unprivileged users to perform Stored XSS and hijack global instance settings due to broken access control on the UpdateInstanceSetting gRPC-web endpoint.
3. Quick Reference for VulDB Fields
Class: Web Application
Type: Stored XSS / Broken Access Control
CWE: CWE-79 / CWE-284
Impact: Critical (Full System/Session Compromise)
CVSS v3.1/4.0: ~9.0 |
|---|
| Nguồn | ⚠️ https://github.com/Dave-gilmore-aus/security-advisories/blob/main/usememos-security-advisory |
|---|
| Người dùng | davidgilmore (UID 96940) |
|---|
| Đệ trình | 31/03/2026 07:22 (cách đây 21 ngày) |
|---|
| Kiểm duyệt | 19/04/2026 21:17 (20 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 358268 [usememos đến 0.22.1 UpdateInstanceSetting src/App.tsx memos_access_token additionalStyle/additionalScript nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|