Miggo Logo
Miggo Vulnerability Database
CVE-2023-0108

CVE-2023-0108: usememos/memos vulnerable to stored Cross-site Scripting

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0108
GHSA ID
GHSA-fpjc-cxr6-w6h8
EPSS Score
0.28561%
CWE
CWE-79
Published
1/7/2023
Updated
1/28/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/usememos/memosgo< 0.10.00.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper Content-Type handling when serving resources. The pre-patch code in resource.go line 266-274 directly used user-controlled resource.Type to set HTTP headers, enabling XSS if a malicious resource (e.g., text/html) was stored. The patch introduced content-type validation (strings.HasPrefix checks) to mitigate this. The security middleware changes in server.go appear related to defense-in-depth rather than being the primary vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository us*m*mos/m*mos prior to *.**.*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ont*nt-Typ* **n*lin* w**n s*rvin* r*sour**s. T** pr*-p*t** *o** in r*sour**.*o lin* ***-*** *ir**tly us** us*r-*ontroll** r*sour**.Typ* to s*t *TTP *****rs, *n**lin* XSS i* * m*li*ious r*sour** (*.*., t*xt/*tml)