Home > Vulnerability Database > CVE-2024-29029

Mend.io Vulnerability Database

CVE-2024-29029

Good to know:

Date: April 19, 2024

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.

Language: Go

Severity Score

6.1

Related Resources (8)

Url: https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos

Url: https://github.com/advisories/GHSA-9cqm-mgv9-vv9j

Url: https://github.com/usememos/memos/blob/06dbd8731161245444f4b50f4f9ed267f7c3cf63/api/v1/http_getter.go#L29

Url: https://github.com/usememos/memos

Url: https://github.com/usememos/memos/commit/bbd206e8930281eb040cc8c549641455892b9eb5

Url: https://securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memos/

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-29029

Url: https://www.mend.io/vulnerability-database/CVE-2024-29029

Severity Score

6.1

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version bbd206e8930281eb040cc8c549641455892b9eb5

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-29029

Good to know:

Date: April 19, 2024

Language: Go

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?