CVE-2024-29029
published 2024-04-19CVE-2024-29029: memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users…
PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.08%
60.9th percentile
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | usememos_memos | >= 0 < 0.22.0 | 0.22.0 |
| usememos | memos | < 0.22.0 | 0.22.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/o/get/image?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg↗
- →Look for GET requests to /o/get/image with a user-supplied `url` parameter — no authentication is required to trigger the SSRF/XSS. ↗
- →Absence of the `Content-Security-Policy: default-src 'none';` response header combined with a 200 status and the XSS payload in the body confirms the vulnerability. ↗
- →Use Shodan query `title:"Memos"` or FOFA query `title="Memos"` to identify exposed Memos instances for proactive scanning. ↗
- ·The vulnerability is present in Memos 0.13.2 and is fully removed in version 0.22.0 (the vulnerable endpoint no longer exists). ↗
- ·The endpoint is accessible without authentication, meaning no session or credentials are needed to exploit SSRF or trigger reflected XSS. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos
osv·2024-08-06
CVE-2024-29029 memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos
memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos
memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos
GHSA
memos vulnerable to Server-Side Request Forgery and Cross-site Scripting
ghsa·2024-08-05
CVE-2024-29029 [MEDIUM] CWE-79 memos vulnerable to Server-Side Request Forgery and Cross-site Scripting
memos vulnerable to Server-Side Request Forgery and Cross-site Scripting
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.
OSV
memos vulnerable to Server-Side Request Forgery and Cross-site Scripting
osv·2024-08-05
CVE-2024-29029 [MEDIUM] memos vulnerable to Server-Side Request Forgery and Cross-site Scripting
memos vulnerable to Server-Side Request Forgery and Cross-site Scripting
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.
VulnCheck
usememos memos Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2024·CVSS 6.1
CVE-2024-29029 [MEDIUM] usememos memos Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
usememos memos Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.
Affected: usememos memos
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2024-29029
No detection rules found.
Nuclei
Memos 0.13.2 - Cross-Site Scripting & SSRF
nuclei·CVSS 6.1
CVE-2024-29029 [MEDIUM] Memos 0.13.2 - Cross-Site Scripting & SSRF
Memos 0.13.2 - Cross-Site Scripting & SSRF
An SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability.
Template:
id: CVE-2024-29029
info:
name: Memos 0.13.2 - Cross-Site Scripting & SSRF
author: ritikchaddha
severity: medium
description: |
An SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability.
impact: |
Attackers can inject malicious scripts and perfo
No writeups or analysis indexed.
https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/http_getter.go#L29https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/http_getter.go#L29https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/
2024-04-19
Published
Exploited in the wild