Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/usememos/memos/server: CVE-2022-25978 #1566

Closed
GoVulnBot opened this issue Feb 15, 2023 · 1 comment
Assignees

Comments

@GoVulnBot
Copy link

CVE-2022-25978 references [Path is unknown](https://Path is unknown), which may be a Go module.

Description:
All versions of the package github.com/usememos/memos/server are vulnerable to Cross-site Scripting (XSS) due to insufficient checks on external resources, which allows malicious actors to introduce links starting with a javascript: scheme.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: std
    packages:
      - package: Path is unknown
description: |
    All versions of the package github.com/usememos/memos/server are vulnerable to Cross-site Scripting (XSS) due to insufficient checks on external resources, which allows malicious actors to introduce links starting with a javascript: scheme.
cves:
  - CVE-2022-25978
references:
  - web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUSEMEMOSMEMOSSERVER-3319070
  - fix: https://github.com/usememos/memos/commit/b11d2130a084385eb65c3761a3c841ebe9f81ae8
  - web: https://github.com/usememos/memos/issues/1026

@timothy-king timothy-king self-assigned this Feb 15, 2023
@timothy-king timothy-king changed the title x/vulndb: potential Go vuln in Path is unknown: CVE-2022-25978 x/vulndb: potential Go vuln in github.com/usememos/memos/server: CVE-2022-25978 Feb 15, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/468637 mentions this issue: data/reports: add GO-2023-1566.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants