CVE-2025-56761

Medium CVSS: 5.4

Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.

Vendor

Usememos

Product

Memos

CWE

CWE-79

Yayın Tarihi

2025-09-03 17:15:34

Güncelleme

2025-09-09 18:27:28

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-79 Memos MEDIUM Usememos 2025

Referanslar

https://github.com/usememos/memos/blob/v0.24.0/server/router/api/v1/user_service.go#L147 https://github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go#L48 https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples/

Benzer Kayıtlar

High

CVE-2025-65795

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create…

Medium

CVE-2025-65797

Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level priv…

Medium

CVE-2025-65799

A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to e…

Medium

CVE-2025-65796

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reac…

Medium

CVE-2025-65798

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or d…

High

CVE-2024-21635

Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. Wh…