kahla-sec
commented
1 year ago Any answer from the maintainers ? @boojack Maybe you can help regarding this :)
Closed kahla-sec closed 1 year ago
kahla-sec
commented
1 year ago Any answer from the maintainers ? @boojack Maybe you can help regarding this :)
boojack
commented
1 year ago @kahla-sec Thanks so much. We will fix this as soon as possible.
kahla-sec
commented
1 year ago Thanks a lot! I'll be glad to retest it when it's done!
Describe the bug
The memos application allows users to add resources from an external link. It was found that there are no checks on the added link, thus allowing a malicious user to introduce links starting with
javascript:scheme . If the user creates a public note with an external resource pointing to a malicious linkjavascript:alert(1), it would be possible to achieve XSS and steal the other users private notes or impersonate their accounts . It's advised to only allow external resources that are served from https:// websites in order to mitigate this vulnerability.Steps to reproduce
1- Create a resource and choose External Link 2- Type the following link: javascript:alert(document.domain) 3- Choose the type as application/* and add the resource 4- Now create a new public note and add the malicious external resource 5- If a user or the admin clicks the external resource, the malicious JS code will be executed on their behalf
Screenshots or additional context
No response