Miggo Logo
Miggo Vulnerability Database
CVE-2022-4609

CVE-2022-4609: Memos Cross-site Scripting vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-4609
GHSA ID
GHSA-rgj5-jj5q-v3v7
EPSS Score
0.48507%
CWE
CWE-79
Published
12/19/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/usememos/memosgo<= 0.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the lack of filename validation in the resource upload handler. The patch in commit 726285e adds a check for .html extensions in server/resource.go, indicating the vulnerable code was in the anonymous handler function for the POST route (registered in registerResourceRoutes). This handler processed user-uploaded files without sanitizing filenames, enabling XSS via HTML file uploads. The high confidence comes from the direct correlation between the patch location and the CWE-79 XSS weakness description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*mos, *n op*n-sour**, s*l*-*ost** m*mo *u*, is vuln*r**l* to stor** *ross-sit* S*riptin* (XSS) in v*rsions *.*.* *n* prior. * p*t** is *v*il**l* *n* *nti*ip*t** to ** p*rt o* v*rsion *.*.*.

Reasoning

T** vuln*r**ility st*ms *rom t** l**k o* `*il*n*m*` v*li**tion in t** r*sour** uplo** **n*l*r. T** p*t** in *ommit ******* ***s * ****k *or `.*tml` *xt*nsions in `s*rv*r/r*sour**.*o`, in*i**tin* t** vuln*r**l* *o** w*s in t** *nonymous **n*l*r `*un*t