CVE-2024-41659

Aug. 22, 2024, 4:15 p.m.

8.1
High

Description

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.

Product(s) Impacted

Product Versions
memos
  • ['0.20.1 and earlier']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-942
Permissive Cross-domain Policy with Untrusted Domains
The product uses a cross-domain policy file that includes domains that should not be trusted.

References

https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163
https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9
https://securitylab.github.com/advisories/GHSL-2024-034_memos/

Tags

security-advisories@github.com
CWE-942
2024-08-20
CVE-2024-41659

CVSS Score

8.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: Aug. 20, 2024, 8:15 p.m.
Last Modified: Aug. 22, 2024, 4:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.