CVE-2024-41659

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.
Configurations

No configuration.

History

22 Aug 2024, 16:15

Type Values Removed Values Added
Summary (en) memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. (en) memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.
References
  • () https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9 -

21 Aug 2024, 12:30

Type Values Removed Values Added
Summary
  • (es) Memos es un servicio de toma de notas liviano y que prioriza la privacidad. Existe una configuración incorrecta de CORS en memos 0.20.1 y versiones anteriores donde se refleja un origen arbitrario con Access-Control-Allow-Credentials establecido en verdadero. Esto puede permitir que un sitio web atacante realice una solicitud de origen cruzado, lo que le permite leer información privada o realizar cambios privilegiados en el sistema como cuenta de usuario vulnerable.

20 Aug 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-20 20:15

Updated : 2024-08-22 16:15


NVD link : CVE-2024-41659

Mitre link : CVE-2024-41659

CVE.ORG link : CVE-2024-41659


JSON object : View

Products Affected

No product.

CWE
CWE-942

Permissive Cross-domain Policy with Untrusted Domains