usememos Memos Improper Authorization Vulnerability Leading to Stored Cross-Site Scripting

A vulnerability exists in usememos memos versions prior to 0.22.1, specifically in the UpdateInstanceSetting component. The issue arises from the backend gRPC-web endpoint 'UpdateInstanceSetting', which fails to properly validate user permissions. This allows standard 'Member' users to bypass frontend restrictions and inject malicious scripts into global instance settings. The injected scripts are executed for all users, including administrators, leading to session hijacking and unauthorized access to sensitive data, such as the memos_access_token.

Impact

Exploitation of this vulnerability allows non-privileged users to modify global settings, execute injected scripts that run in the context of all users, and steal session tokens from the browser's storage.

Reproduction

To reproduce this vulnerability, create a standard user account with 'Member' privileges. Manually navigate to the administrative settings page by appending '#system' to the URL. Once on the page, inject a script into the 'Additional script' field, such as a simple alert script. After saving the changes, the injected script will execute for all users who visit the Memos instance.

Remediation

It is recommended to implement server-side authorization checks to ensure that only users with the appropriate roles can access the UpdateInstanceSetting endpoint. Additionally, replace innerHTML injections with safer alternatives or use a library like DOMPurify to sanitize inputs before adding them to the DOM.