github.com/usememos/memos known bugs

usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Versions prior to 0.9.0 improperly maintain access control allowing an attacker to take over an account by changing header values in the HTTP request.

usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos versions prior to 0.9.0 are vulnerable to improper authorization, which can allow a user to modify the nickname, username and email of other users without permission.

Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1.

Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account.

### Summary Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. The bad actor though will still have access to their account because the bad actor's Access Token stays on the list as a valid token. The user will have to manually delete the bad actor's Access Token to secure their account. The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor in a list of Access Tokens. ### Details To improve Memos security, all Access Tokens will need to be revoked when a user changes their password. This removes the session for all the user's devices and prompts the user to log in again. You can treat the old Access Tokens as "invalid" because those Access Tokens were created with the older password. ### PoC 1. Have 2 devices on hand 2. Log onto your Memos account on both devices. Notice how Access Tokens are created for each. 3. On one device, successfully change the password. Refresh the page on the 2nd device and notice how it doesn't log out the user. 4. On the 2nd device, change the password again. Refresh the page on the 1st device and notice how it doesn't log out the user. ### Impact A bad actor will still have access to the user's account because the Access Token does not expire on a password update. Having multi-factor authentication will vastly improve account security in Account Takeover cases instead of just relying on a password.

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.

usememos/memos 0.9.0 and prior is vulnerable to Improper Access Control.

In usememos/memos 0.9.0 and prior, a user with login permission can delete all notes of the whole application via `API DELETE https://demo.usememos.com/api/memo/$idnote`. The vulnerability will lose all user notes data throughout the system, causing damage to user data.

Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0.

Improper Input Validation in GitHub repository usememos/memos prior to 0.13.2.

usememos/memos 0.9.0 and prior is vulnerable to full account takeover via changing user name, email address, and display name.

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.

Improper Privilege Management in GitHub repository usememos/memos prior to 0.13.2.

Denial of Service in GitHub repository usememos/memos 0.9.0 and prior. A patch is available on the `main` branch at commit number f888c628408501daf639de07b90a72ab443b0f4c.

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.15.1.

memos vulnerability allows arbitrarily modification or deletion registered identity providers in github.com/usememos/memos

memos lacks file name validation or verification in github.com/usememos/memos

memos vulnerability allows the creation of arbitrary accounts in github.com/usememos/memos

memos vulnerability allows arbitrarily modification or deletion of attachments in github.com/usememos/memos

memos vulnerability allows arbitrarily reactions deletion in github.com/usememos/memos

Memos' Access Tokens Stay Valid after User Password Change in github.com/usememos/memos

Memos Vulnerable to Stored Cross-Site Scripting in github.com/usememos/memos

Memos Vulnerable to Path Traversal via the CreateResource Endpoint in github.com/usememos/memos

Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs in github.com/usememos/memos

Memos Server-Side Request Forgery (SSRF) in github.com/usememos/memos

Stored XSS using two files in usememos/memos in github.com/usememos/memos

memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos

memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos

memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta in github.com/usememos/memos

memos vulnerable to Server-Side Request Forgery in /api/resource in github.com/usememos/memos

Cross-Site Request Forgery (CSRF) in usememos/memos in github.com/usememos/memos

Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos in github.com/usememos/memos

usememos/memos vulnerable to privilege escalation in github.com/usememos/memos

A malicious actor can introduce links starting with a "javascript:" scheme due to insufficient checks on external resources. This can be used as a part of Cross-site Scripting (XSS) attack.

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

usememos/memos Improper Privilege Management vulnerability in github.com/usememos/memos

usememos/memos Incorrect Use of Privileged APIs vulnerability in github.com/usememos/memos

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

sememos/memos vulnerable to Improper Handling of Values in github.com/usememos/memos

usememos/memos vulnerable to Improper Handling of Insufficient Permissions or Privileges in github.com/usememos/memos

usememos/memos vulnerable to Improper Verification of Source of a Communication Channel in github.com/usememos/memos

usememos/memos has Incorrectly Specified Destination in a Communication Channel in github.com/usememos/memos

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

usememos/memos vulnerable to Comparison of Object References Instead of Object Contents in github.com/usememos/memos

usememos/memos Improper Authorization vulnerability in github.com/usememos/memos

usememos/memos Cross-Site Request Forgery vulnerability in github.com/usememos/memos

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

usememos/memos has Insufficient Granularity of Access Control in github.com/usememos/memos

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

usememos/memos Cross-Site Request Forgery vulnerability in github.com/usememos/memos

usememos/memos vulnerable to Improper Authorization in github.com/usememos/memos

usememos/memos Improper Authorization vulnerability in github.com/usememos/memos

usememos/memos vulnerable Improper Restriction of Excessive Authentication Attempts in github.com/usememos/memos

usememos/memos Improper Authorization vulnerability in github.com/usememos/memos

usememos/memos vulnerable to Improper Verification of Source of a Communication Channel in github.com/usememos/memos

usememos/memos Improper Authentication vulnerability in github.com/usememos/memos

usememos/memos makes Incorrect Use of Privileged APIs in github.com/usememos/memos

usememos/memos has Insufficient Granularity of Access Control in github.com/usememos/memos

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

usememos/memos may leak user information to an authenticated user in github.com/usememos/memos

usememos/memos Denial of Service vulnerability in github.com/usememos/memos

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

usememos/memos makes Incorrect Use of Privileged APIs in github.com/usememos/memos

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

usememos/memos Authorization Bypass Through User-Controlled Key vulnerability in github.com/usememos/memos

usememos/memos vulnerable to improper access control in github.com/usememos/memos

usememos/memos missing Secure cookie attribute in github.com/usememos/memos

usememos/memos vulnerable to account takeover due to improper access control in github.com/usememos/memos

usememos/memos vulnerable to improper authorization in github.com/usememos/memos

usememos/memos vulnerable to stored cross-site scripting (XSS) in github.com/usememos/memos

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.

Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos 0.9.0 and prior.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

usememos/memos 0.9.0 and prior is vulnerable to Improper Authorization.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

Memos, an open-source, self-hosted memo hub, is vulnerable to stored Cross-site Scripting (XSS) in versions 0.8.3 and prior. A patch is available and anticipated to be part of version 0.9.0.

Incorrectly Specified Destination in a Communication Channel in GitHub repository usememos/memos 0.9.0 and prior.

usememos/memos 0.9.0 and prior is vulnerable to Improper Authorization.

In usememos/memos 0.9.0 and prior, an attacker can delete other users' posts via post id, which can be done via brute force.

A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal.

In usememos/memos 0.9.0 and prior, a user can view any content from private memos from other users via the API.

usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos prior to 0.9.0 is missing the Secure cookie attribute, making it vulnerable to session hijacking.

usememos/memos 0.9.0 and prior is vulnerable to Improper Authorization.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos 0.9.0 and prior.

An Improper Access Control vulnerability in usememos/memos 0.9.0 and prior can result in a user deleting others' public and private memos.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

In usememos/memos 0.9.0 and prior, a user can archive any private memos, delete any shortcut, and edit any shortcut from other users via API.

usememos/memos 0.9.0 and prior is vulnerable to Improper Verification of Source of a Communication Channel.

Comparison of Object References Instead of Object Contents in GitHub repository usememos/memos 0.9.0 and prior.

usememos/memos 0.9.0 and prior is vulnerable to Improper Authentication.

usememos/memos 0.9.0 and prior has endpoint that leaks user information like names, email, role, and OpenID to an authenticated user. A patch is available at commit 05b41804e33a34102f1f75bb2d69195dda6a1210 on the `main` branch.

The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.

In usememos/memos 0.9.0 and prior, an unauthorized user can access any private memo by URL hacking a memo on the editing screen.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos 0.9.0 and prior.

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1

In usememos/memos 0.9.0 and prior, users can edit and delete all other users' shortcuts.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

usememos/memos 0.9.0 and prior allows an attacker to archive any user's public or private post.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.

Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.

usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos prior to 0.9.0 has a feature to upload file and display it, and by uploading a crafted SVG file, an attacker could perform a stored cross-site scripting attack with the image direct link. This was patched in version 0.9.0.

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

All versions of the package github.com/usememos/memos/server prior to 0.11.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient checks on external resources, which allows malicious actors to introduce links starting with a javascript: scheme.

Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.

Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS).

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

An Insufficient Granularity of Access Control in usememos/memos prior to 0.9.0 can allow an attacker to delete a memo from the archives.

When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.

Improper Handling of Insufficient Permissions or Privileges in GitHub repository usememos/memos prior to 0.9.1.

Improper Access Control in GitHub repository usememos/memos 0.9.0 and prior.

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the `/api/resource` that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file.

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.

A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. When the HTML file is accessed, the malicious script is executed. This can lead to the theft of sensitive information, such as login credentials, from users visiting the affected website. The issue has been fixed in version 0.10.0.

In usememos/memos 0.9.0 and prior, an attacker can post malicious content to another user's memos page via POST request.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

Improper Access Control in GitHub repository usememos/memos prior to 0.13.2. As of commit `c9aa2eeb9` access tokens which fail validation are rejected.

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0.