CVE-2024-41659

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163	Product
https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9	Patch
https://securitylab.github.com/advisories/GHSL-2024-034_memos/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:usememos:memos:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-08-20 20:15

Updated : 2025-07-10 15:36

NVD link : CVE-2024-41659

Mitre link : CVE-2024-41659

CVE.ORG link : CVE-2024-41659

JSON object : View

Products Affected

usememos

memos

CWE

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

{"id": "CVE-2024-41659", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2024-08-20T20:15:08.207", "references": [{"url": "https://github.com/usememos/memos/blob/v0.20.1/server/server.go#L163", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://github.com/usememos/memos/commit/8101a5e0b162044c16385bee4f12a4a653d050b9", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://securitylab.github.com/advisories/GHSL-2024-034_memos/", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-942"}]}], "descriptions": [{"lang": "en", "value": "memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account. This vulnerability is fixed in 0.21.0."}, {"lang": "es", "value": "Memos es un servicio de toma de notas liviano y que prioriza la privacidad. Existe una configuraci\u00f3n incorrecta de CORS en memos 0.20.1 y versiones anteriores donde se refleja un origen arbitrario con Access-Control-Allow-Credentials establecido en verdadero. Esto puede permitir que un sitio web atacante realice una solicitud de origen cruzado, lo que le permite leer informaci\u00f3n privada o realizar cambios privilegiados en el sistema como cuenta de usuario vulnerable."}], "lastModified": "2025-07-10T15:36:42.900", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:usememos:memos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6FC82338-D783-4959-B9C2-D1CE061F4E83", "versionEndExcluding": "0.21.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}