The memos application allows users to add resources from an external link. It was found that there are no checks on the added link, thus allowing a malicious user to introduce links starting with javascript: scheme . If the user creates a public note with an external resource pointing to a malicious link javascript:alert(1), it would be possible to achieve XSS and steal the other users private notes or impersonate their accounts .
It's advised to only allow external resources that are served from https:// websites in order to mitigate this vulnerability.
Steps to reproduce
1- Create a resource and choose External Link
2- Type the following link: javascript:alert(document.domain)
3- Choose the type as application/* and add the resource
4- Now create a new public note and add the malicious external resource
5- If a user or the admin clicks the external resource, the malicious JS code will be executed on their behalf
Describe the bug
The memos application allows users to add resources from an external link. It was found that there are no checks on the added link, thus allowing a malicious user to introduce links starting with
javascript:
scheme . If the user creates a public note with an external resource pointing to a malicious linkjavascript:alert(1)
, it would be possible to achieve XSS and steal the other users private notes or impersonate their accounts . It's advised to only allow external resources that are served from https:// websites in order to mitigate this vulnerability.Steps to reproduce
1- Create a resource and choose External Link 2- Type the following link: javascript:alert(document.domain) 3- Choose the type as application/* and add the resource 4- Now create a new public note and add the malicious external resource 5- If a user or the admin clicks the external resource, the malicious JS code will be executed on their behalf
Screenshots or additional context
No response