CVE-2023-0109: 
NixOS vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. This vulnerability (CVE-2023-0109) allows an attacker to upload a JavaScript file containing a malicious script and reference it in an HTML file. The issue was discovered in January 2023 and has been fixed in version 0.10.0 (NVD).

The vulnerability enables attackers to execute malicious scripts by uploading JavaScript files and referencing them in HTML files. When the HTML file is accessed, the malicious script is executed. The vulnerability has received varying CVSS scores: a CVSS v3.1 base score of 5.4 (MEDIUM) from NVD with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and a CVSS v3.0 score of 9.8 (CRITICAL) from huntr.dev with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

When exploited, this vulnerability can lead to the theft of sensitive information, such as login credentials, from users visiting the affected website. The cross-site scripting attack allows malicious actors to execute arbitrary JavaScript code in the context of other users' browsers (NVD).

The vulnerability has been patched in version 0.10.0 of usememos/memos. Users are advised to upgrade to this version or later to mitigate the risk. The fix was implemented through a commit that added security measures to prevent XSS attacks (GitHub).