Vulnerability Description
memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Usememos | Memos | < 0.21.0 |
Related Weaknesses (CWE)
References
- https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163Product
- https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050bPatch
- https://securitylab.github.com/advisories/GHSL-2024-034_memos/ExploitThird Party Advisory
FAQ
What is CVE-2024-41659?
CVE-2024-41659 is a vulnerability with a CVSS score of 8.1 (HIGH). memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set t...
How severe is CVE-2024-41659?
CVE-2024-41659 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-41659?
Check the references section above for vendor advisories and patch information. Affected products include: Usememos Memos.