MidnightBSD

Advisories for usememos

CVE-2022-25978

All versions of the package github.com/usememos/memos/server are vulnerable to Cross-site Scripting (XSS) due to insufficient checks on external resources, which allows malicious actors to introduce links starting with a javascript: scheme.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
report@snyk.io 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4609

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4683

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4684

Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4686

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4687

Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4688

Improper Authorization in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4689

Improper Access Control in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4690

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4691

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4692

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4694

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4695

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4734

Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4767

Denial of Service in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4796

Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4797

Improper Restriction of Excessive Authentication Attempts in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4798

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4799

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4800

Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4801

Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4802

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4803

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4804

Improper Authorization in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4805

Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4806

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4807

Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4808

Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4809

Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4810

Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4811

Authorization Bypass Through User-Controlled Key vulnerability in usememos usememos/memos.This issue affects usememos/memos before 0.9.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4812

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4813

Insufficient Granularity of Access Control in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4814

Improper Access Control in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4839

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4840

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4841

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4844

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4845

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4846

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4847

Incorrectly Specified Destination in a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4848

Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4849

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4850

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4851

Improper Handling of Values in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4863

Improper Handling of Insufficient Permissions or Privileges in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4865

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2022-4866

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1.

Products Affected

Vendor Product Version
usememos memos *
CVE-2023-0106

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2023-0107

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2023-0108

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2023-0109

A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. When the HTML file is accessed, the malicious script is executed. This can lead to the theft of sensitive information, such as login credentials, from users visiting the affected website. The issue has been fixed in version 0.10.0.

Products Affected

Vendor Product Version
usememos memos 0.9.1
CVE-2023-0110

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2023-0111

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2023-0112

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.

Products Affected

Vendor Product Version
usememos memos *
CVE-2023-4696

Improper Access Control in GitHub repository usememos/memos prior to 0.13.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
usememos memos *
CVE-2023-4697

Improper Privilege Management in GitHub repository usememos/memos prior to 0.13.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
usememos memos *
CVE-2023-4698

Improper Input Validation in GitHub repository usememos/memos prior to 0.13.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
usememos memos *
CVE-2023-5036

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.15.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
usememos memos *
CVE-2024-21635

Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. In versions up to and including 0.18.1, though, the bad actor will still have access to their account because the bad actor's Access Token stays on the list as a valid token. The user will have to manually delete the bad actor's Access Token to secure their account. The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor in a list of Access Tokens. A known patched version of Memos isn't available. To improve Memos security, all Access Tokens will need to be revoked when a user changes their password. This removes the session for all the user's devices and prompts the user to log in again. One can treat the old Access Tokens as "invalid" because those Access Tokens were created with the older password.

Products Affected

Vendor Product Version
usememos memos *
CVE-2024-29028

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
usememos memos *
CVE-2024-29029

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
usememos memos *
CVE-2024-29030

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /api/resource that allows authenticated users to enumerate the internal network. Version 0.22.0 of memos removes the vulnerable file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
usememos memos *
CVE-2024-41659

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
usememos memos *
CVE-2025-22952

elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
usememos memos 0.23.0
CVE-2025-50738

The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
usememos memos *
CVE-2025-56760

When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
usememos memos 0.22.0
CVE-2025-56761

Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XSS is viewed by an admin.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
usememos memos 0.22.0
CVE-2025-65795

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
usememos memos 0.25.2
CVE-2025-65796

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily delete reactions made to other users' Memos.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
usememos memos 0.25.2
CVE-2025-65797

Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
usememos memos 0.25.2
CVE-2025-65798

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
usememos memos 0.25.2
CVE-2025-65799

A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
usememos memos 0.25.2