PT-2024-29488 · Memos · Memos
Kevin Stubbings
+1
·
Published
2024-08-20
·
Updated
2024-08-30
·
CVE-2024-41659
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
memos versions 0.20.1 and earlier
Description
A CORS misconfiguration exists in memos where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account.
Recommendations
For memos versions 0.20.1 and earlier, update to version 0.21.0 to fix the CORS misconfiguration vulnerability. As a temporary workaround, consider restricting access to sensitive information and privileged actions to minimize the risk of exploitation.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Memos