blob: 04c6e2788f9d4a3eeb9f5c13b807c1b6c0621040 [file] [log] [blame]
id: GO-2023-1566
modules:
- module: github.com/usememos/memos
versions:
- fixed: 0.10.4-0.20230211093429-b11d2130a084
vulnerable_at: 0.10.3
packages:
- package: github.com/usememos/memos/server
symbols:
- Server.registerResourcePublicRoutes
- Server.registerResourceRoutes
derived_symbols:
- NewServer
summary: Cross site scripting in github.com/usememos/memos
description: |-
A malicious actor can introduce links starting with a "javascript:" scheme due
to insufficient checks on external resources. This can be used as a part of
Cross-site Scripting (XSS) attack.
cves:
- CVE-2022-25978
ghsas:
- GHSA-9w8x-5hv5-r6gw
credits:
- Kahla
references:
- web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUSEMEMOSMEMOSSERVER-3319070
- fix: https://github.com/usememos/memos/commit/b11d2130a084385eb65c3761a3c841ebe9f81ae8
- report: https://github.com/usememos/memos/issues/1026
review_status: REVIEWED