| id: GO-2023-1566 |
| modules: |
| - module: github.com/usememos/memos |
| versions: |
| - fixed: 0.10.4-0.20230211093429-b11d2130a084 |
| vulnerable_at: 0.10.3 |
| packages: |
| - package: github.com/usememos/memos/server |
| symbols: |
| - Server.registerResourcePublicRoutes |
| - Server.registerResourceRoutes |
| derived_symbols: |
| - NewServer |
| summary: Cross site scripting in github.com/usememos/memos |
| description: |- |
| A malicious actor can introduce links starting with a "javascript:" scheme due |
| to insufficient checks on external resources. This can be used as a part of |
| Cross-site Scripting (XSS) attack. |
| cves: |
| - CVE-2022-25978 |
| ghsas: |
| - GHSA-9w8x-5hv5-r6gw |
| credits: |
| - Kahla |
| references: |
| - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUSEMEMOSMEMOSSERVER-3319070 |
| - fix: https://github.com/usememos/memos/commit/b11d2130a084385eb65c3761a3c841ebe9f81ae8 |
| - report: https://github.com/usememos/memos/issues/1026 |
| review_status: REVIEWED |