Miggo Logo
Miggo Vulnerability Database
CVE-2023-0111

CVE-2023-0111: usememos/memos vulnerable to stored Cross-site Scripting

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0111
GHSA ID
GHSA-h2ph-9r76-37v5
EPSS Score
0.30269%
CWE
CWE-79
Published
1/7/2023
Updated
1/28/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/usememos/memosgo< 0.10.00.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability stemmed from how resources were served. In the pre-patch version, server/resource.go directly set Content-Type from user-controlled resource.Type values. This allowed attackers to upload resources with dangerous MIME types (like text/html) that browsers would execute. The patch added validation (strings.HasPrefix checks) to force text/plain for text/application types, mitigating XSS. The function handling resource responses (registerResourcePublicRoutes) was the injection point for malicious content.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository us*m*mos/m*mos prior to *.**.*.

Reasoning

T** k*y vuln*r**ility st*mm** *rom *ow r*sour**s w*r* s*rv**. In t** pr*-p*t** v*rsion, s*rv*r/r*sour**.*o *ir**tly s*t *ont*nt-Typ* *rom us*r-*ontroll** r*sour**.Typ* v*lu*s. T*is *llow** *tt**k*rs to uplo** r*sour**s wit* **n**rous MIM* typ*s (lik*