cbcvebase.
CVE-2024-29029
published 2024-04-19

CVE-2024-29029: memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users…

PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.08%
60.9th percentile
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comusememos_memos>= 0 < 0.22.00.22.0
usememosmemos< 0.22.00.22.0

Detection & IOCsextracted from sources · hover to see the quote

url/o/get/image?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg
path/o/get/image
  • Look for GET requests to /o/get/image with a user-supplied `url` parameter — no authentication is required to trigger the SSRF/XSS.
  • Absence of the `Content-Security-Policy: default-src 'none';` response header combined with a 200 status and the XSS payload in the body confirms the vulnerability.
  • Use Shodan query `title:"Memos"` or FOFA query `title="Memos"` to identify exposed Memos instances for proactive scanning.
  • ·The vulnerability is present in Memos 0.13.2 and is fully removed in version 0.22.0 (the vulnerable endpoint no longer exists).
  • ·The endpoint is accessible without authentication, meaning no session or credentials are needed to exploit SSRF or trigger reflected XSS.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.