CVE-2022-4800 : Improper Verification of Source of a Communication Channel in GitHub repository

Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos prior to 0.9.1.

Published 2022-12-28 14:15:11

Updated 2023-01-05 23:23:45

Source huntr.dev

View at NVD, CVE.org

Products affected by CVE-2022-4800

Usememos » Memos
Versions before (<) 0.9.1
cpe:2.3:a:usememos:memos:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 16 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.6	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L	3.9	4.7	huntr.dev
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: High Availability: Low
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE-940 Improper Verification of Source of a Communication Channel

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

Assigned by: security@huntr.dev (Primary)

https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53

fix: access control (#870) · usememos/memos@3556ae4 · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://huntr.dev/bounties/aa45a6eb-cc38-45e5-a301-221ef43c0ef8

CSRF allows attacker to add malicious tags to vitim account vulnerability found in memos
Exploit;Patch;Third Party Advisory

Jump to