x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5r2g-59px-3q9w

[GoVulnBot]

Advisory GHSA-5r2g-59px-3q9w references a vulnerability in the following Go modules:

Module
github.com/usememos/memos

Description: A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. When the HTML file is accessed, the malicious script is executed. This can lead to the theft of sensitive information, such as login credentials, from users visiting the affected website. The issue has been fixed in version 0.10.0.

References:

• ADVISORY: https://github.com/advisories/GHSA-5r2g-59px-3q9w
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2023-0109
• FIX: https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c
• WEB: https://huntr.com/bounties/1899ffb2-ce1e-4dc0-af96-972612190f6e

Cross references:

• github.com/usememos/memos appears in 63 other report(s):
  • data/excluded/GO-2022-1173.yaml (https://github.com/golang/vulndb/issues/1173) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1226.yaml (https://github.com/golang/vulndb/issues/1226) NOT_GO_CODE
  • data/excluded/GO-2022-1228.yaml (https://github.com/golang/vulndb/issues/1228) NOT_GO_CODE
  • data/excluded/GO-2022-1254.yaml (https://github.com/golang/vulndb/issues/1254) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1255.yaml (https://github.com/golang/vulndb/issues/1255) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1258.yaml (https://github.com/golang/vulndb/issues/1258) NOT_GO_CODE
  • data/excluded/GO-2022-1262.yaml (https://github.com/golang/vulndb/issues/1262) NOT_GO_CODE
  • data/excluded/GO-2022-1265.yaml (https://github.com/golang/vulndb/issues/1265) NOT_GO_CODE
  • data/excluded/GO-2023-1271.yaml (https://github.com/golang/vulndb/issues/1271) NOT_GO_CODE
  • data/excluded/GO-2023-1272.yaml (https://github.com/golang/vulndb/issues/1272) NOT_GO_CODE
  • data/excluded/GO-2023-1286.yaml (https://github.com/golang/vulndb/issues/1286) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1460.yaml (https://github.com/golang/vulndb/issues/1460) NOT_GO_CODE
  • data/excluded/GO-2023-1467.yaml (https://github.com/golang/vulndb/issues/1467) NOT_GO_CODE
  • data/excluded/GO-2023-2037.yaml (https://github.com/golang/vulndb/issues/2037) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-1189.yaml (https://github.com/golang/vulndb/issues/1189)
  • data/reports/GO-2022-1190.yaml (https://github.com/golang/vulndb/issues/1190)
  • data/reports/GO-2022-1191.yaml (https://github.com/golang/vulndb/issues/1191)
  • data/reports/GO-2022-1192.yaml (https://github.com/golang/vulndb/issues/1192)
  • data/reports/GO-2022-1205.yaml (https://github.com/golang/vulndb/issues/1205)
  • data/reports/GO-2022-1215.yaml (https://github.com/golang/vulndb/issues/1215)
  • data/reports/GO-2022-1216.yaml (https://github.com/golang/vulndb/issues/1216)
  • data/reports/GO-2022-1217.yaml (https://github.com/golang/vulndb/issues/1217)
  • data/reports/GO-2022-1218.yaml (https://github.com/golang/vulndb/issues/1218)
  • data/reports/GO-2022-1219.yaml (https://github.com/golang/vulndb/issues/1219)
  • data/reports/GO-2022-1220.yaml (https://github.com/golang/vulndb/issues/1220)
  • data/reports/GO-2022-1225.yaml (https://github.com/golang/vulndb/issues/1225)
  • data/reports/GO-2022-1235.yaml (https://github.com/golang/vulndb/issues/1235)
  • data/reports/GO-2022-1236.yaml (https://github.com/golang/vulndb/issues/1236)
  • data/reports/GO-2022-1239.yaml (https://github.com/golang/vulndb/issues/1239)
  • data/reports/GO-2022-1240.yaml (https://github.com/golang/vulndb/issues/1240)
  • data/reports/GO-2022-1243.yaml (https://github.com/golang/vulndb/issues/1243)
  • data/reports/GO-2022-1244.yaml (https://github.com/golang/vulndb/issues/1244)
  • data/reports/GO-2022-1245.yaml (https://github.com/golang/vulndb/issues/1245)
  • data/reports/GO-2022-1248.yaml (https://github.com/golang/vulndb/issues/1248)
  • data/reports/GO-2022-1250.yaml (https://github.com/golang/vulndb/issues/1250)
  • data/reports/GO-2022-1251.yaml (https://github.com/golang/vulndb/issues/1251)
  • data/reports/GO-2022-1252.yaml (https://github.com/golang/vulndb/issues/1252)
  • data/reports/GO-2022-1253.yaml (https://github.com/golang/vulndb/issues/1253)
  • data/reports/GO-2022-1256.yaml (https://github.com/golang/vulndb/issues/1256)
  • data/reports/GO-2022-1257.yaml (https://github.com/golang/vulndb/issues/1257)
  • data/reports/GO-2022-1259.yaml (https://github.com/golang/vulndb/issues/1259)
  • data/reports/GO-2022-1260.yaml (https://github.com/golang/vulndb/issues/1260)
  • data/reports/GO-2022-1261.yaml (https://github.com/golang/vulndb/issues/1261)
  • data/reports/GO-2022-1263.yaml (https://github.com/golang/vulndb/issues/1263)
  • data/reports/GO-2022-1264.yaml (https://github.com/golang/vulndb/issues/1264)
  • data/reports/GO-2022-1266.yaml (https://github.com/golang/vulndb/issues/1266)
  • data/reports/GO-2023-1270.yaml (https://github.com/golang/vulndb/issues/1270)
  • data/reports/GO-2023-1285.yaml (https://github.com/golang/vulndb/issues/1285)
  • data/reports/GO-2023-1291.yaml (https://github.com/golang/vulndb/issues/1291)
  • data/reports/GO-2023-1292.yaml (https://github.com/golang/vulndb/issues/1292)
  • data/reports/GO-2023-1449.yaml (https://github.com/golang/vulndb/issues/1449)
  • data/reports/GO-2023-1461.yaml (https://github.com/golang/vulndb/issues/1461)
  • data/reports/GO-2023-1462.yaml (https://github.com/golang/vulndb/issues/1462)
  • data/reports/GO-2023-1465.yaml (https://github.com/golang/vulndb/issues/1465)
  • data/reports/GO-2023-1469.yaml (https://github.com/golang/vulndb/issues/1469)
  • data/reports/GO-2023-1566.yaml (https://github.com/golang/vulndb/issues/1566)
  • data/reports/GO-2023-2036.yaml (https://github.com/golang/vulndb/issues/2036)
  • data/reports/GO-2023-2038.yaml (https://github.com/golang/vulndb/issues/2038)
  • data/reports/GO-2023-2065.yaml (https://github.com/golang/vulndb/issues/2065)
  • data/reports/GO-2024-3046.yaml (https://github.com/golang/vulndb/issues/3046)
  • data/reports/GO-2024-3047.yaml (https://github.com/golang/vulndb/issues/3047)
  • data/reports/GO-2024-3049.yaml (https://github.com/golang/vulndb/issues/3049)
  • data/reports/GO-2024-3088.yaml (https://github.com/golang/vulndb/issues/3088)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/usememos/memos
      versions:
        - fixed: 0.10.0
      vulnerable_at: 0.9.1
summary: Stored XSS using two files in usememos/memos in github.com/usememos/memos
cves:
    - CVE-2023-0109
ghsas:
    - GHSA-5r2g-59px-3q9w
references:
    - advisory: https://github.com/advisories/GHSA-5r2g-59px-3q9w
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-0109
    - fix: https://github.com/usememos/memos/commit/46c13a4b7f675b92d297df6dabb4441f13c7cd9c
    - web: https://huntr.com/bounties/1899ffb2-ce1e-4dc0-af96-972612190f6e
source:
    id: GHSA-5r2g-59px-3q9w
    created: 2024-11-15T21:01:22.939142186Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/629356 mentions this issue: data/reports: add 9 unreviewed reports