Memos Stored Cross-Site Scripting Vulnerability Allowing Privilege Escalation

A stored cross-site scripting vulnerability has been identified in Memos version 0.22, through the upload attachment and user avatar features. The application fails to validate the content type of uploaded data, allowing an authenticated attacker to inject malicious scripts. When these scripts are executed by an administrator, they could be used to elevate privileges, potentially leading to unauthorized changes in the application configuration.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content. In this case, it could lead to privilege escalation if an admin inadvertently runs the script.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a file through the resource upload feature, ensuring to include a script payload and set the content type to 'text/html'. Alternatively, the user avatar feature can be used to inject a script by uploading an image with a 'data' URL containing the malicious code, which will be executed when the avatar is viewed by an admin.